Breaking News: Malaysia organizations don't realize severity of cyberattacks

ZDNet / News / Security

XML vulnerability leads to calls for standards change

By , ZDNet Asia on October 24, 2011 

 

Summary

German scientists say weakness in cipher block chaining mode for XML encryption means secured communications between Web services can now be decrypted, and call for change in encryption standard.

Topics

xml, technology, software engineering, software, science and technology, xml languages and schema, computer technology, computer encryption, computer security, internet

Events

Echelon 2012
June 11 and 12, 2012

University Cultural Centre, National University of Singapore

Startup Asia Jakarta 2012
June 7 and 8, 2012

12th Floor, Annex Building, Wisma Nusantara Complex, Jl. M.H. Thamrin No. 59 Jakarta 10350, Indonesia

MMA Forum Singapore
April 23-25, 2012

Grand Hyatt Singapore

Submit

Scientists from the Ruhr University of Bochum (RUB) in Germany have devised an attack that decrypts data secured with XML encryption, a standard that allows for secured communications between Web services. As there is no fix to the problem currently, they are calling for the World Wide Web Consortium (W3C) to change the standard.

The German researchers, Juraj Somorovsky and Tibor Jager, from RUB noted in a recent press release that XML encryption is used for securing communications between Web services by many companies, including IBM, Red Hat and Microsoft. The discovered vulnerability in the cipher block chaining mode (CBC) means that data secured with the DES (Data Encryption Standard) or the AES (Advanced Encryption Standard) can now be decrypted, leading to possible leak of sensitive corporate information, they pointed out.

Both scientists plan to present their findings in more detail at the ACM Conference on Computer and Communications Security later this year.

Somorovsky also called on the W3C, which instituted the XML encryption standard, to replace it. "There is no simple patch for this problem. We therefore propose to change the standard as soon as possible," he said.

The scientists noted that they had informed all possible affected companies through W3C's mailing list, following a "clear, responsible disclosure process".

In a separate report by tech Web site ComputerWorld on Saturday, Microsoft responded to the security threat by acknowledging the inherent weakness in XML encryption. A spokesperson said: "Microsoft is aware of research concerning an industry-wide issue affecting certain implementations of the XML encryption standard. We continue to evaluate our products to determine which applications, if any, use the implementation approach in question."

As for workarounds, Redmond did not have a recommendation to make yet. "We will provide guidance concerning Microsoft's XML implementation to third-party developers as appropriate," the spokesperson added in the report.

Talkback

Add your opinion

In order to post a comment, you need to be registered. (Sign In or register below)

Post your comment

Resource Centre Useful content from our premier sponsors

Latest Stories

Sony Mobile yanks feature phones from India

HP to shed 27K workers by 2014

Homegrown smartphone OSes gaining favor in China

Big data acquisitions pave way to fast, effective innovation

Integration, focused investments to propel Windows Phone

ZDNet Asia Live

42 bands from 15 countries to feature at Music Matters Live 2012 which will beam live via YouTube for 1st time this year. #mm12

Music Matters to be launched in Bali via partnership w/Telkom Indonesia. #mm12

HP to shed 27K workers by 2014 http://t.co/OevueOGh http://t.co/erFSwAUB #arcavir

http://t.co/VNaUVSe1 HP to shed 27K workers by 2014: IT vendor plans exit of 8 percent of gl... http://t.co/5LKpdBSZ http://t.co/wiqTBKkj

China solar cell makers seek Taiwan partnershipshttp://bit.ly/JErUGz via @zdnetasia #solar #energy #china

Malaysia organizations don't realize severity of cyberattacks http://t.co/PUCv68Rd

News: Radio Costa Rica by EnjoyIT 1.0: Radio Costa Rica allows you to listen to a great var... http://t.co/BLzVT5As http://t.co/1Dhcy6ki

The key for mobile operators is identifying the applications that are popular with subscribers on their network. They can then work partn...

3 hours ago by camcullen on Experience trumps content in apps monetization

Experience trumps content in apps monetization | ZDNet http://t.co/gBXcjbGd

Experience trumps content in apps monetization - ZDNet Asia News: "What we are doing currently is not to monetiz... http://t.co/S2EZtd8m

Malaysia organizations don't realize severity of cyberattacks: "Minister Maximus Johnity Ongkili said at the Sec... http://t.co/bgVlOBvx

#security Malaysia organizations don't realize severity of cyberattacks: "Minister Maximus Johnity Ongkili said ... http://t.co/hkFb4zrI

Malaysia organizations don't realize severity of cyberattacks http://t.co/EEEmRM3j via @zdnetasia

Malaysia organizations don't realize severity of cyberattacks - ZDNet Asia News http://t.co/YpNMYgb5

Malaysia organizations don't realize severity of cyberattacks http://t.co/FFems54Q

China solar cell makers seek Taiwan partnerships http://t.co/p5Hh7kJD

So much as we know , MTK6575 extremely integrated frequency1GHz ARM Cortex-A9 processor, the superiority of 3G / HSPA Modem, and help the...

1 day ago by y15822137359 on 5 SaaS adoption speed bumps to avoid

I reckon your view: "CRM is strategy, not software", if a company replicating the approach uses in ERP implementation into CRM, what they...

3 days ago by wykoong on Gartner: Mobile CRM gives better ROI than social

This video will teach you about the Excel fill handle but also provide you with a workook to download... http://www.youtube.com/watch?v=...

3 days ago by TradeBrother on A quick fill handle trick for Microsoft Excel

waiting...

5 days ago by eapete on What should count in a company's market value?

Boy, you've opened a can of worms now.

Wait for the rants & raves.

5 days ago by eapete on What should count in a company's market value?

I was puzzling before this whether to replicate the success formula we executed for a financial institute, and come out with a standard s...

6 days ago by wykoong on Drop the egos, copy ideas, then innovate

Keep up with ZDNet Asia

Facebook Join our fan page

RSS Feeds Subscribe now

NewslettersNewsletters Subscribe today

Twitter Follow us