[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: XML Daily Newslink. Thursday, 06 August 2009
FYI, all Since [xml-names] has come up with regard to xml:id in the XML elements of an ODF document, the proposed update is probably worthy of review. Also, I wonder from time to time whether a security considerations section (as required in IETF RFCs) is called for in the ODF specifications or as an aspect of profiling. The first clipping, below, reminded me of that concern. I am not sure there is anything in particular called for (other than perhaps pointing out those security-like features that should not be relied upon for any high level of security or privacy). It seems that most vulnerabilities will be ones in libraries and custom implementations of processors for foundation features relied upon by reference (i.e., XML, Zip, and IRIs). I'm not sure that there is anything at the ODF specification level except for certain features that provide an illusion of security. This is not the same as being able to inject code or crash systems though. - Dennis -----Original Message----- From: Robin Cover [mailto:robin@oasis-open.org] Sent: Friday, August 07, 2009 18:42 To: XML Daily Newslink Subject: XML Daily Newslink. Thursday, 06 August 2009 XML Daily Newslink. Thursday, 06 August 2009 A Cover Pages Publication http://xml.coverpages.org/ Provided by OASIS http://www.oasis-open.org Edited by Robin Cover ==================================================== This issue of XML Daily Newslink is sponsored by Sun Microsystems, Inc. http://sun.com ==================================================== Online HTML: http://xml.coverpages.org/newsletter/news2009-08-06.html HEADLINES: * Analyst: Expect Hacker Attacks on XML Flaws * [ ... ] * W3C Proposed Edited Recommendation: Namespaces in XML 1.0 (Third Edition) * [ ... ] ---------------------------------------------------------------------- Analyst: Expect Hacker Attacks on XML Flaws Ellen Messmer, Network World "One day after reports of vulnerabilities in XML libraries, Gartner analyst Neil MacDonald is warning companies not to ignore the danger of attacks that exploit those flaws: 'Hackers are moving up the stack to the application level; XML-based attacks can be expected to be the next big thing for hackers.' Security test toolmaker Codenomicon and the Finnish Computer Emergency Response Team (CERT-FI) disclosed security risks in XML libraries that could result in successful denial-of-service attacks on applications built with them. A wide variety of applications have implemented the vulnerable XML libraries, which include those from Python Software Foundation, Sun Microsystems and Apache Software Foundation. Developers are being advised to follow instructions for remediation from vendors to prevent the exploits detailed by CERT-FI and Codenomicon... The vulnerabilities relate to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely..." According to the CERT-FI Advisory on XML Libraries: "The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content... CERT-FI has coordinated the release of this vulnerability between the vulnerability researcher and the affected vendors." NIST's Vulnerability Summary for CVE-2009-2625 asserts: "Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework..." http://www.networkworld.com/news/2009/080609-xml-library-warning.html See also the text of CERT-FI Advisory on XML libraries: http://www.cert.fi/en/reports/2009/vulnerability2009085.html ---------------------------------------------------------------------- [ ... ] ---------------------------------------------------------------------- W3C Proposed Edited Recommendation: Namespaces in XML 1.0 (Third Edition) Tim Bray, Dave Hollander, Andrew Layman, Richard Tobin (et al), W3C TR Members of the W3C XML Core Working Group have published the Third Edition of Namespaces in XML 1.0 as W3C Proposed Edited Recommendation. "XML Namespaces provide a simple method for qualifying element and attribute names used in Extensible Markup Language documents by associating them with namespaces identified by URI references. The Third Edition as proposed incorporates all outstanding errata." A colored diff-marked version highlights the changes (added text, changed text, deleted text). The review period is open until 14-September-2009. "There are several editorial changes, including a number of terminology changes and additions intended to produce greater consistency. The non-normative appendix "The Internal Structure of XML Namespaces" has been removed. The BNF has been adjusted to inter-connect properly with all editions of XML 1.0, including the fifth edition." http://www.w3.org/TR/2009/PER-xml-names-20090806/ See also references for Namespaces in XML: http://xml.coverpages.org/namespaces.html ---------------------------------------------------------------------- [ ... ] ---------------------------------------------------------------------- XML Daily Newslink and Cover Pages are supported by OASIS Foundational Sponsors: Microsoft Corporation http://www.microsoft.com Oracle Corporation http://www.oracle.com Sun Microsystems, Inc. http://sun.com ---------------------------------------------------------------------- XML Daily Newslink: http://xml.coverpages.org/newsletter.html Newsletter archive: http://xml.coverpages.org/newsletterArchive.html Newsletter subscribe: newsletter-subscribe@xml.coverpages.org Newsletter unsubscribe: newsletter-unsubscribe@xml.coverpages.org Newsletter help: newsletter-help@xml.coverpages.org Cover Pages: http://xml.coverpages.org/ ----------------------------------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]