Ruby, Ruby, Ruby - Vulnerable, Vulnerable, Vulnerable


Multiple arbitrary code execution vulnerabilities in Ruby have been revealed by the Apple Product Security team which could lead to Denial of Service attacks. A total of five vulnerabilities have been reported, with versions impacted being:

1.8.4 and all prior versions
1.8.5-p230 and all prior versions
1.8.6-p229 and all prior versions
1.8.7-p21 and all prior versions
1.9.0-1 and all prior versions

Upgrading to either 1.8.5-p231, 1.8.6-p230, 1.8.7-p22 or 1.9.0-2 is recommended.

This is, of course, of particular interest to Apple as its Mac OS X Leopard comes complete with a Ruby on Rails web development framework.

For an in-depth examination of the vulnerabilities head over to security guru Eric Monti at the Matasano Chargen blog who has been dissecting the detail.

Monti says "These vulnerabilities are likely to crop up in just about any average ruby web application. And by "crop up" I mean "crop up exploitable from trivial user-specified parameters". Unlike un-handled ruby exceptions getting raised, these bugs aren't the fault of the programmer as much as the fault of the interpreter. Part of the unwritten "contract" with your interpreted language is that it will prevent you from letting ridiculous things happen by raising an exception."

Member Avatar
Davey Winder

I've been a freelance word punk for more than two decades and for the last few years an Editorial Fellow at Dennis Publishing. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011. As well as working for DaniWeb I have been a Contributing Editor with PC Pro (the best selling IT magazine in the UK) for twenty years.

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

This is an OP Kudos discussion and contributors may be rewarded
Start New Discussion
View similar articles that have also been tagged: