June 20th, 2008
Apple security team finds code execution holes in Ruby
A member of Apple’s security team has discovered multiple serious security vulnerabilities in Ruby, the popular open-source scripting language.
According to an advisory on the Ruby project site, Apple’s Drew Yao reported at least six of the vulnerabilities, which can be exploited to cause a denial-of-service condition or the execution of arbitrary code.
The issues were confirmed in the 1.8 and 1.9 versions of Ruby. Patch download locations can be found in the alert.
Ruby, initially developed and designed by Yukihiro “Matz” Matsumoto, is the interpreted scripting language for quick and easy object-oriented programming.
UPDATE: Over on the Matasano Security blog, Thomas Ptacek Eric Monti describes some of these vulnerabilities as “disturbing.”
These vulnerabilities are likely to crop up in just about any average ruby web application. And by “crop up” I mean “crop up exploitable from trivial user-specified parameters”. It’s not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input. Unlike un-handled ruby exceptions getting raised, these bugs aren’t the fault of the programmer as much as the fault of the interpreter. Part of the unwritten “contract” with your interpreted language is that it will prevent you from letting ridiculous things happen by raising an exception.
Weaponizing these for code-execution may or may not be trivial (we’re looking into this too, — keep you posted). But even a class of DoS attacks this trivial would be horrible enough.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
