FW: XML Daily Newslink. Thursday, 06 August 2009

["Dennis E. Hamilton" <dennis.hamilton@acm.org>]

FYI, all

Since [xml-names] has come up with regard to xml:id in the XML elements of
an ODF document, the proposed update is probably worthy of review.

Also, I wonder from time to time whether a security considerations section
(as required in IETF RFCs) is called for in the ODF specifications or as an
aspect of profiling.  The first clipping, below, reminded me of that
concern.

I am not sure there is anything in particular called for (other than perhaps
pointing out those security-like features that should not be relied upon for
any high level of security or privacy).  It seems that most vulnerabilities
will be ones in libraries and custom implementations of processors for
foundation features relied upon by reference (i.e., XML, Zip, and IRIs).
I'm not sure that there is anything at the ODF specification level except
for certain features that provide an illusion of security.  This is not the
same as being able to inject code or crash systems though. 

 - Dennis

-----Original Message-----
From: Robin Cover [mailto:robin@oasis-open.org] 
Sent: Friday, August 07, 2009 18:42
To: XML Daily Newslink
Subject: XML Daily Newslink. Thursday, 06 August 2009

XML Daily Newslink. Thursday, 06 August 2009
A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS http://www.oasis-open.org
Edited by Robin Cover

====================================================
This issue of XML Daily Newslink is sponsored by
Sun Microsystems, Inc.  http://sun.com
====================================================

Online HTML: http://xml.coverpages.org/newsletter/news2009-08-06.html

HEADLINES:

* Analyst: Expect Hacker Attacks on XML Flaws
* [ ... ]
* W3C Proposed Edited Recommendation: Namespaces in XML 1.0 (Third Edition)
* [ ... ]

----------------------------------------------------------------------

Analyst: Expect Hacker Attacks on XML Flaws
Ellen Messmer, Network World

"One day after reports of vulnerabilities in XML libraries, Gartner
analyst Neil MacDonald is warning companies not to ignore the danger
of attacks that exploit those flaws: 'Hackers are moving up the stack
to the application level; XML-based attacks can be expected to be the
next big thing for hackers.'

Security test toolmaker Codenomicon and the Finnish Computer Emergency
Response Team (CERT-FI) disclosed security risks in XML libraries that
could result in successful denial-of-service attacks on applications
built with them. A wide variety of applications have implemented the
vulnerable XML libraries, which include those from Python Software
Foundation, Sun Microsystems and Apache Software Foundation. Developers
are being advised to follow instructions for remediation from vendors
to prevent the exploits detailed by CERT-FI and Codenomicon... The
vulnerabilities relate to the parsing of XML elements with unexpected
byte values and recursive parentheses, which cause the program to access
memory out of bounds, or to loop indefinitely..."

According to the CERT-FI Advisory on XML Libraries: "The effects of the
vulnerabilities include denial of service and potentially code execution.
The vulnerabilities can be exploited by enticing a user to open a
specially modified file, or by submitting it to a server that handles
XML content... CERT-FI has coordinated the release of this vulnerability
between the vulnerability researcher and the affected vendors."

NIST's Vulnerability Summary for CVE-2009-2625 asserts: "Apache Xerces2
Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6
before Update 15 and JDK and JRE 5.0 before Update 20, and in other
products, allows remote attackers to cause a denial of service (infinite
loop and application hang) via malformed XML input, as demonstrated
by the Codenomicon XML fuzzing framework..."

http://www.networkworld.com/news/2009/080609-xml-library-warning.html
See also the text of CERT-FI Advisory on XML libraries:
http://www.cert.fi/en/reports/2009/vulnerability2009085.html

----------------------------------------------------------------------

[ ... ]

----------------------------------------------------------------------

W3C Proposed Edited Recommendation: Namespaces in XML 1.0 (Third Edition)
Tim Bray, Dave Hollander, Andrew Layman, Richard Tobin (et al), W3C TR

Members of the W3C XML Core Working Group have published the Third Edition
of Namespaces in XML 1.0 as W3C Proposed Edited Recommendation. "XML
Namespaces provide a simple method for qualifying element and attribute
names used in Extensible Markup Language documents by associating them
with namespaces identified by URI references. The Third Edition as
proposed incorporates all outstanding errata."  A colored diff-marked
version highlights the changes (added text, changed text, deleted text).
The review period is open until 14-September-2009.

"There are several editorial changes, including a number of terminology
changes and additions intended to produce greater consistency. The
non-normative appendix "The Internal Structure of XML Namespaces" has
been removed. The BNF has been adjusted to inter-connect properly with
all editions of XML 1.0, including the fifth edition."

http://www.w3.org/TR/2009/PER-xml-names-20090806/
See also references for Namespaces in XML:
http://xml.coverpages.org/namespaces.html

----------------------------------------------------------------------

[ ... ]

----------------------------------------------------------------------

XML Daily Newslink and Cover Pages are supported by OASIS
Foundational Sponsors:

Microsoft Corporation     http://www.microsoft.com
Oracle Corporation        http://www.oracle.com
Sun Microsystems, Inc.    http://sun.com

----------------------------------------------------------------------

XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: newsletter-subscribe@xml.coverpages.org
Newsletter unsubscribe: newsletter-unsubscribe@xml.coverpages.org
Newsletter help: newsletter-help@xml.coverpages.org
Cover Pages: http://xml.coverpages.org/

----------------------------------------------------------------------