Multiple Security Holes In Ruby 1.8, 1.9

ruphus13 notes a six-pack of serious vulnerabilities discovered in Ruby by a member of Apple's security team, Drew Yao. Patches are linked from the ruby-lang.org advisory. "With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code... These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters.' It's not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input."

Derailed

[lemur3 (997863)]

I can see the blood now!

Re:

[Lars T. (470328)]

"Carpet bombing" neither executed arbitrary code nor has it not been fixed.

Re:

[Lars T. (470328)]

Was there not a recent demonstration on a 'blended threat' based on the safari bug that would execute code next time IE ran, also I beleive there is another similar method for firefox 2/3.

No, there still is a bug in IE that will run any properly named DLL on the Desktop, whether it is downloaded with the "Carpet Bomb", or by hand with any browser, download tool (incl. FTP or P2P), or moved there, or put there by fairies. And there is also a bug in Firefox that allows somebody to "steal files", which has probably to do with a certain kind of file being in its Download Folder (by default the Desktop) - again, no matter how it got there. These are bugs that need to be fixed.

Goes to show ...

[Qbertino (265505)]

This, IMHO, goes to show that Ruby isn't any better than the other Open Source interpreted languages. Despite what the Ruby fanboys allways claim, it is actually far less mature then, let's say, Python or PHP.
A matured, tested and established mod_ruby, unicode and a few years more in the field is what Ruby needs before I take a look at it.

My 2 cents.

Re:

[Etherized (1038092)]

Keep in mind that ruby and PHP are essentially contemporaries - they've both been in real use for over a decade. By most measures, one would think of them as being "mature" technologies, and yet we still see bugs like this crop up in both languages. I think it just goes to show - while selecting a "mature" technology has its advantages, it will not make you immune to problems.

For what it's worth, this appears to be a flaw in the official ruby interpreter. That's a big deal, of course, but just so you k

Re:

[bcrowell (177657)]

Keep in mind that ruby and PHP are essentially contemporaries - they've both been in real use for over a decade. By most measures, one would think of them as being "mature" technologies, and yet we still see bugs like this crop up in both languages. I think it just goes to show - while selecting a "mature" technology has its advantages, it will not make you immune to problems.

I'd interpret the same facts the other way around. A decade isn't very long for a programming language to mature. Ruby and PHP hav

Re:Goes to show ...

[SanityInAnarchy (655584)]

This, IMHO, goes to show that Ruby isn't any better at security than the other Open Source interpreted languages.

Fixed that for you.

And it never claimed to be. I don't know anyone who uses Ruby because it's more secure. Everyone I know who uses Ruby does so because of the beautiful syntax, pervasive OO, and other things that make it nicer to program in.

far less mature then, let's say, Python or PHP.

Oh, [net-security.org] really? [softpedia.com]

And again, it's not the security. I'm willing to risk having to patch my interpreter like this once in awhile, if it means I'm able to

Keep in mind, this vulnerability is so far only a DoS, and won't necessarily affect most installations. Most people run multiple interpreters serving a single site, each load-balanced to. Knock out one and it'll be restarted, while the other continues to serve content.

Which brings us to your next point...

A matured, tested and established mod_ruby, unicode and a few years more in the field is what Ruby needs before I take a look at it.

Well, let's see -- Unicode has existed, albeit not great, for quite awhile. 1.9 has had Unicode strings from the beginning.

mod_ruby -- you do realize pretty much no one in the Ruby world uses Apache, right? It's all mongrels and nginx... But if you must, there's Passenger. [modrails.com]

a few years more in the field is what Ruby needs before I take a look at it.

Obviously, you really haven't taken a look at it.

Re:

[yogikoudou (806237)]

I believe this is the PHP bug you mention: http://use.perl.org/~Aristotle/journal/33448 [perl.org] .

Re:Goes to show ...

[smallpaul (65919)]

So, um, how's jPHP and Jython coming along? Would you deploy a real life application on Jython?

So, um, how's jPHP and Jython coming along? Would you deploy a real life application on Jython?

Go team. Rah! Rah! Rah! YEAH!!!!

But I have two questions:

1. What does the relative merit of Jython versus Jruby have to do with the price of tea in China? Are you moving your apps from the buggy MRI to JRuby this week to avoid these security holes?

2. What evidence do you have that Jruby is more appropriate for "real life applications" than Jython? I know people who have deployed real life applications on Jython since before the first checkin of JRuby. For example, Websphere ships with Jython.

http://wiki.python.org/jython/JythonUsers [python.org]

Ruby has some real advantages over Python. But if you don't know them, don't just make stuff up.

Re:

[Fweeky (41046)]

My question about Jython was not rhetorical; I keep hearing people saying it needs more love. And no, I wouldn't give Java the time of day, but it is perhaps quite relevent to those who worry about wobbly concepts like "maturity" in decade-old languages.

good news

[corbettw (214229)]

Now it's time to start calling up all those RoR sites and use this to convince them to switch the Django.

Someone had to say...

[Hognoxious (631665)]

Ruby - it's the new PHP.

FUD?

[MarkusQ (450076)]

These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters.'

Huh? Who lets users enter arbitrary integers to index into arrays? Or let's users submit arbitrary loops for execution? Apart from the statement quoted above, what indication is there that any of these would "crop up" in any but the most contrived circumstances?

--MarkusQ

Re:

[profplump (309017)]

The same people that let remote users enter arbitrary data into an SQL query, or who use non-parameterized queries in the first place. Or who set a "logged_in=1" cookie after authentication and check only that value for future verification.

I have patched all of my customer's servers

[MarkWatson (189759)]

I did some testing on an off line server, and then pushed these patches.

I am concerned about "Ruby the Platform". I have dealt with deployment and scaling issues for a few years on a customer project written in Rails + Common Lisp, and as much as I *love* coding in Ruby and Lisp, this experience has also made me appreciate "Java the platform" :-)

Re:

[tcopeland (32225)]

> I have dealt with deployment and scaling issues for a few years

What do you think of modrails [modrails.com]? To me it changes the Rails deployment game entirely... no more mongrel clusters, no more complicated rewrite rules...

Re:

[MarkWatson (189759)]

I have not yet looked at modrails, but I just looked at the site that you linked - looks very interesting - thanks!

That said, I am fairly happy with nginx + memcached + mongrel cluster

Re:The real story

[JeremyGNJ (1102465)]

That's really not the story. The story is how simple the exploits were and yet, how long it took to be discovered.

Re:The real story

[by Anonymous Coward]

sooo... open source failed? that's what it sounds like you're saying. beware of pitchfork carrying moderators ;)

Re:The real story

[CrazedWalrus (901897)]

How did open source fail? Someone who wasn't the original author had access to the code and found the bugs. How quickly it's found is a function of how many qualified people are looking at the code. I didn't RTFA, but presumably Drew Yao, a member of the security team, was security auditing the code. This activity would have been much harder to impossible with closed source code.

I'd say the system worked as advertised here.

Re:

[Richard_at_work (517087)]

This activity would have been much harder to impossible with closed source code.

I'd say the system worked as advertised here.

Yup, because Microsoft certainly never have exploits such as these discovered...

Re:The real story

[CrazedWalrus (901897)]

I didn't say anything about Microsoft. Obviously there are, but the source is much more difficult to obtain. If the source can't be obtained, auditors must use more difficult types of testing, or just hope that the vendor did their job correctly.

My only point was that Apple would have a much more difficult time auditing, say, Office for Mac, than they would with Ruby due to the requirement for source code agreements or using more arcane methods like blackbox testing or disassembly. The same applies to Photoshop, Flash, or any other 3rd party closed-source app.

The victory here is that Ruby was improved by a 3rd party who had ready access to the source. When the source is available, this will happen much more often than when it's not.

Re:

[drinkypoo (153816)]

Yup, because Microsoft certainly never have exploits such as these discovered...

The difference is who finds them and what happens when they are found. Vulnerabilities in Microsoft products are found either by accident (I pass you some data which should be valid and you choke, or I pass you some data which should be invalid and you don't choke, or you just crash instead of detecting the invalid data and throwing an exception or local equivalent, which is what you SHOULD do EVERY TIME) or by malicious motherfuckers deliberately looking for the above conditions, or disassembling the cod

Re:The real story

[by Anonymous Coward]

How did open source fail? Someone who wasn't the original author had access to the code and found the bugs. How quickly it's found is a function of how many qualified people are looking at the code. I'd say the system worked as advertised here.

Slight correction -- it's a function of how many qualified and honest people are looking at the code. Now, the skilled but dishonest Russian hacking cartels had a financial incentive to look through the code for security problems; comparatively few security researchers had financial incentives to do so. Are you really sure this is the first time this bug has been discovered? Or just the first time by nice cooperative people who don't exploit it and keep it secret?

Re:

[CrazedWalrus (901897)]

That's a good point. I don't claim to be sure of anything except that, had the source not been available, those bugs would probably still exist.

In other words, the lifetime of the bugs is substantially decreased. In closed-source apps, less people can audit it, which necessarily means that there's a smaller pool of nice, cooperative people to find the bug.

The people with a financial incentive will still find exploits like they always do -- open or closed.

Re:

[RiotingPacifist (1228016)]

Because dishonest hacking cartels would never look at microsoft source code [slashdot.org]!

Funny how open source always wins...

[by Anonymous Coward]

Case 1: the code has no bugs: "many eyes make for shallow bugs!" everyone chants.

Case 2: the code has bugs which get reported and fixed. "See, this would have taken much longer if the source was closed!" This claim is impossible to verify objectively but is stated as a fact, regardless of how trivial the bugs are.

Re:

[by Anonymous Coward]

And then there are those of us who just don't give a damn about what other people think, but continue to use open source on both our servers and our desktops not because of what other people claim, but because in our experience it works better.

Re:

[by Anonymous Coward]

Case 1 is a myth. All software has bugs. Even the best and most thoroughly reviewed code typically at least 1 bug per thousand lines of code. Always. (However, they're not always security related like this.)

Re:

[Sancho (17056)]

Aaaand then you get people who claim that "Open Source worked!" when a 25 year old bug is squashed.

Re:

[Lars T. (470328)]

How did open source fail? Someone who wasn't the original author had access to the code and found the bugs.

Who says he was the first to find the bugs - he's just the first not not use the exploit to crack servers.

Re:

[CrazedWalrus (901897)]

I never claimed he was the first. The point was that these were found *quicker* than if it was solely up to the original authors to find the bugs. "Quicker" is a relative term compared to the alternative. It doesn't mean "first", and it doesn't mean "quick".

Re:The real story

[headLITE (171240)]

A vulnerability in an open source project was found by a third party doing a security audit of the code. The possibility to validate the source code is exactly what open source proponents claim is the reason for open source being more secure. Everybody can have a go, a thousand pairs of eyes see more than one pair, and all that. Try auditing Visual Basic 6 for comparison.

Re:The real story

[moosesocks (264553)]

Try auditing Visual Basic 6 for comparison.

I don't need to see the source to know that VB6 is completely insecure. The documentation is more than sufficient to prove that the entire language was fundamentally flawed.

Re:

[teknopurge (199509)]

A testament to either how adopted the Ruby language is or the competency of the maintainers.

I'm rally not a troll; I think they are valid points.

Not just RoR

[Slashdot Parent (995749)]

This reminds me of the notorious suidperl vulnerability [ciac.org] from back in the day. In a nutshell, you could use the following code to achieve a root shell from an unprivileged account (apologies if I don't get it exactly right... I don't have an ancient system to verify on):

#!/usr/bin/suidperl -w

$< = 0;
$> = 0;

`/bin/bash`;

That was available for how many years? Anyhow, that's much more serious than this Ruby DoS attack. ;)

Re:The real story

[mccalli (323026)]

The real story here is how quickly the bugs were patched. I'd like to see MS respond half as fast to holes in Windows and it's attendant parts and pieces.

No. The real story here are the security bugs, precisely as described. This isn't cheerleading - to users of Ruby it really doesn't matter how fast some other imagined patch might have come out from another company for a different product. If I'm running Ruby, I need to know that these bugs exist and that patches can be applied for them.

Drop the us vs them thinking - it doesn't help is pretty much just FUD.

Cheers,
Ian

Re:Confirmation

[setagllib (753300)]

Then what is? Sun Java and Microsoft .NET have both had long histories of security patches. Python is a lot better but nothing is perfect.

At least with a Linux Python/Ruby you get the security fix within hours as part of your regular operating system update. With Java you have to download the whole thing again from Sun's site. With .NET you have to wait for patch tuesday or apply a hotfix manually.

Re:Confirmation

[larry bagina (561269)]

"Enterprise" means you don't blindly install updates on day 0.

Re:

[headLITE (171240)]

Agreed. It also usually doesn't refer to a programming language or environment. At any rate, "enterprise" applications have historically been written in a bunch of languages that don't do array bounds checking. Granted, ruby is supposed to do it, but I mean, seriously - are kids these days so spoiled by JavaScript and VB that this kind of error is a surprise and the biggest bug ever?

Re:Confirmation

[Idaho (12907)]

Granted, ruby is supposed to do it, but I mean, seriously - are kids these days so spoiled by JavaScript and VB that this kind of error is a surprise and the biggest bug ever?

1. If the interpreter is supposed to do it, except it then turns out it actually doesn't (or doesn't do it correctly), then yes.
2. If the problem occurs in something that is a part of the language itself, or at least part of its standard library/built-in types, or, however you want to define it, if it is in the set of stuff that everyone who has the language installed has installed, and the functionality is used in pretty much any program ever written in the language, then yes.

So, yes.

Re:Confirmation

[/ASCII (86998)]

No, "Enterprise ready" means they didn't have to deal with that shit on Star Trek.

Re:

[v1 (525388)]

and I for one get really tired of all the Sun Java updates. One particular update path I have to go through with some machines requires downloading 5 or 6 java updates, at 35-50mb EACH, as java trampolines itself up to the latest version.

Re:

[by Anonymous Coward]

Actually, considering its age, Java DOESN'T have a "long" history of security patches. Java was designed by security freaks and the security both of the core language and the standard platforms is extensively vetted and tested by security professionals. Which is why you have to look long and hard for news reports of major security breaches in Java.

The Java system is considered to be an integrated whole and new releases have to pass an extensive suite of tests before they are certified. Yes, it's a royal pai

Re:

[FooBarWidget (556006)]

Oh yes it is. [rubyenterp...dition.com]

Re:message to staff at Apple HQ

[LunarCrisis (966179)]

The bugs would have been there even if Apple hadn't found them. Why not thank them for improving the quality of Ruby?

Re:

[Library Spoff (582122)]

Sorry - forgot the *joke* tag...
Yes they have improved the quality of Ruby by doing this.

Re:message to staff at Apple HQ

[UnknowingFool (672806)]

Apple finds serious bugs in Ruby. They tell the Ruby developers. Ruby developers issue patches. That's not sensational.

MS finds a bug in Safari. They tell everyone not to use Safari. I see slight differences. :P

Re:

[UnknowingFool (672806)]

In their advisory: [microsoft.com]

Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.

Re:

[Lars T. (470328)]

What a joke.

Look at almost every security advisory issued out there. "Remedy: Do not/restrict usage of X until bug is resolved".

Making this a stab at MSFT just shows you up as an Apple fanboy.

Ignoring that there is a much bigger hole in IE that the Apple bug makes a tiny bit easier to trigger shows you up as what then?