BannerPortlet

Blogs

General Information

Libxml2 is an open source software library for parsing XML documents. In October 2010, vulnerability researchers team at Bkis have found a high security vulnerability in libxml2. This library is used by many popular softwares, browsers and operating systems for example, Google Chrome, Apple Safari, Linux OS, etc. Thus, these softwares, particularly browsers, are vulnerable to attacks. Bkis has reported the vulnerability to the related vendors.

Details

Bkis Advisory

Bkis-05-2010

CVE reference

CVE-2010-4008

Initial vendor notification

11-10-2010

Release Date

05-10-2010

Update Date

05-10-2010

Discovered by

Bui Quang Minh - Bkis

Attack Type

Invalid Memory Access

Security Rating

High

Impact

Remote Attack

Affected Software

Libxml2 < 2.7.8

Google Chrome < 7.0.517.44

Apple Safari <= 5.0.2

Technical Description

XPATH is a language querying content from XML documents. The vulnerability lies in the module processing this query language. Specifically, libxml2 does not well process a malformed XPATH, causing crash.

To exploit this vulnerability, hacker may send user a link containing malicious XPATH. When user opens this link, the malicious code will be executed, attacking user's system.

Solution

Google team has issued the patch for this vulnerability in libxml2-2.7.8. Besides, Google also updates the latest libxml2 in Chrome 7.0.517.44. Apple Safari and some other popular software vendors using libxml2 are in their updating process but have not issued the official patch yet.

Rating this vulnerability as high security, Bkis recommends users, particular browser users, update the latest version of their software. Since Apple Safari has not issued the official patch yet, users should keep track on the vendors' information and update their software as soon as the patch is released.

In addition, those teams who use libxml2 in their software should also update the latest version of their libxml2 immediately.

Bkis

Leave a Reply

Name (required)
Mail (hidden) (required)
Website
Text to Identify
Reload-Capcha
CAPTCHA Code *

Popup Date Time Portlet

Blogs Aggregator

Blog Category Portlet

Categories

Store Portlet

Archives

Vote Baby Portlet