Poorly written XML parsers (and I've written my fair share) are always open to DOS attacks; XML has no upper bound on element names, attribute value length, stack depth ...<p><a href="http://en.wikipedia.org/wiki/Billion_laughs" rel="nofollow">http://en.wikipedia.org/wiki/Billion_laughs</a><p>Same is mostly true of JSON parsers as well of course.<p>If you let potentially hostile users feed arbitrary data into any of these, even a totally non-buggy, perfectly conformant parser is wide-open to being abused via DOS.
Here's the original press release from the company:<p><a href="http://www.codenomicon.com/news/press-releases/2009-08-05.shtml" rel="nofollow">http://www.codenomicon.com/news/press-releases/2009-08-05.sh...</a><p>And a CERT-FI advisory:<p><a href="http://www.cert.fi/en/reports/2009/vulnerability2009085.html" rel="nofollow">http://www.cert.fi/en/reports/2009/vulnerability2009085.html</a><p>Also the expat-bug and expat-discuss mailing lists were very active in January/February with seemly related issues:<p><a href="http://mail.libexpat.org/pipermail/expat-bugs/2009-January/thread.html" rel="nofollow">http://mail.libexpat.org/pipermail/expat-bugs/2009-January/t...</a><p><a href="http://mail.libexpat.org/pipermail/expat-discuss/2009-February/thread.html" rel="nofollow">http://mail.libexpat.org/pipermail/expat-discuss/2009-Februa...</a>
So then there is nothing wrong with XML… There is everything wrong with a few parsers.<p>Wouldn't a better title be "XML Parser Flaws Doom Computing World"?
Because of the nature of the flaw, details have not been published. (Also see the original article at <a href="http://www.codenomicon.com/labs/xml/" rel="nofollow">http://www.codenomicon.com/labs/xml/</a>) Not clear what can be done about the issue, and how bad the issue is. Should we just wait for it to be resolved?
Pretty skeptical this flaw could be in "virtually every open-source XML library available". Seems unlikely a million brains collectively missed whatever this is.
Unless they can trigger an infinite loop I'm not really worried about Java/Python based web services being affected. Any exception should be caught on a per-request basis.