Why do email programs block xml files?
Possible XML based attacks are:
- XML bomb (aka Billion LOLs attack). This is an XML file that uses a recursive custom entity type definition to attack a vulnerable XML parser. The XML bomb has a very small size on disk, but expands up to a huge size when parsed, potentially exhausting the available memory on the victims device.
- External entity type that may not return. In this case the XML document defines an external entity type at a URL that either does not respond, or responds slowly. This could cause a DoS on the victims device.
- External entity type that expose sensitive information. This is similar to point 2 (and is explained at the same link), but in this case the external entity type attempts to expose sensitive local files (e.g.
file:///etc/passwd
)
Whether any of these attacks could succeed depend on the installed XML parser on the local machine. I think applications like newer versions of IE, Firefox etc. protect against these, but older versions or some custom software might be vulnerable.
An attacker can use an XML file for nefarious reasons and, as you asked if anything like that occurred in the past, there have been examples of such malicious XML attached files in the past.
In fact, the attack I am going to mention is recent and done by the end of Februaru 2015 where companies are sent a spam with an attached malicious XML file:
This attachment is a Microsoft Word XML Document; Microsoft has a special handler for XML files that will choose the application to handle them based upon detection of the contents, as described here, so double clicking on it can lead MS Word to be executed and thus loading the malicious macros embedded within it. Here is diagram showing how the malicious document was stored:
source
If they block HTML then it also makes sense to block XML because it can be transformed using XSLT into XHTML (the transformation is supported by all recent browsers passing the Acid3 test) which is pretty much (especially security-wise) like normal HTML.