Codenomicon Ltd, a leading vendor of software security testing solutions, announced today that it has helped fix multiple critical flaws in popular XML libraries, including implementations from Sun Microsystems, Apache Software Foundation, and Python.

Codenomicon discovered the vulnerabilities in early 2009 as part of the development of a new product for XML testing. When XML libraries were subjected to tests, multiple vulnerabilities were quickly identified in parsing XML data. The vulnerabilities could be exploited by enticing a user to open a specifically crafted XML file, or by submitting malicious requests to web services that handle XML content. The impact of the discovered vulnerabilities varies from denial-of-service attacks to potential execution of malicious code on affected systems. After the vulnerabilities had been found, Codenomicon worked together with CERT-FI (Finnish National Computer Emergency Response Team) to coordinate the remediation of the found issues with the affected vendors. In addition to Sun, Apache, and Python, a few other projects are expected to announce their fixes at a later time.

"XML implementations are ubiquitous - they are found in systems and services where one would not expect to find them," says Erka Koivunen, Head of CERT-FI. "For us it is crucial that end users and organizations who use the affected libraries upgrade to the new versions. This announcement is just the beginning of a long remediation process that ends only when the patches have been deployed to production systems," Koivunen continues.

Codenomicon has been maintaining its lead in development of intelligent model-based fuzzing since 1996, when its founders were working in the widely-acclaimed Oulu University Secure Programming Group (OUSPG) PROTOS research project. Systematic fuzzing was first used to break ASCII/MIME contents in email clients and web services. Later, the same technique was applied to ASN.1 structures in such protocols as SNMP, LDAP and X.509. After Codenomicon was founded in 2001, its DEFENSICS product line has grown to cover over 150 common different network protocols and file formats, including wireless interfaces such as Bluetooth and WLAN. DEFENSICS for XML provides an added capability for testing common XML-based protocols and file formats more efficiently than before.

"We initially developed our XML fuzz tests as part of our TR-069 telecommunications protocol test suite, which was released already in January 2009," says Sami Petäjäsoja, Product Manager at Codenomicon. "However, the significance of our XML testing approach was immediately seen to go far beyond the initial set of protocols we were looking at," Petäjäsoja continues. "As XML forms the fundamental basis of many modern protocols and information systems, almost anything can be tested."

XML has come a long way from the days when it provided support for just a few applications and file formats. Today, XML is used in .NET, SOAP, VoIP, Web Services, industrial automation (SCADA) and even banking infrastructure. The new advancements in XML fuzzing have led to the discovery of vulnerabilities and defects in important applications that are deployed in business-critical environments.

XML fuzzing takes XML message structures and alters them in ways beyond imagination. Breaking encodings, repetition of tag elements, dropping tags and elements, using recursive structures, overflows or special characters, and many other techniques will easily corrupt communications. The result can be a Denial of Service (DoS) situation, corruption of data, or even a situation where hostile code can be executed on a vulnerable host.

Codenomicon will release its new testing solution, DEFENSICS for XML, commercially along with explaining more details about some of the XML vulnerabilities that were found at the Hacker Halted 2009 security conference in Miami, Florida, in September 2009.