Slashdot Mirror
Multiple Security Holes In Ruby 1.8, 1.9
ruphus13 notes a six-pack of serious vulnerabilities discovered in Ruby by a member of Apple's security team, Drew Yao. Patches are linked from the ruby-lang.org advisory. "With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code... These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters.' It's not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input."
I can see the blood now!
The bugs found are fairly basic honestly.
If these were found in any MS product it wouldnt matter how fast they were patched.
That's really not the story. The story is how simple the exploits were and yet, how long it took to be discovered.
Then what is? Sun Java and Microsoft .NET have both had long histories of security patches. Python is a lot better but nothing is perfect.
At least with a Linux Python/Ruby you get the security fix within hours as part of your regular operating system update. With Java you have to download the whole thing again from Sun's site. With .NET you have to wait for patch tuesday or apply a hotfix manually.
Sam ty sig.
The real story here is how quickly the bugs were patched. I'd like to see MS respond half as fast to holes in Windows and it's attendant parts and pieces.
No. The real story here are the security bugs, precisely as described. This isn't cheerleading - to users of Ruby it really doesn't matter how fast some other imagined patch might have come out from another company for a different product. If I'm running Ruby, I need to know that these bugs exist and that patches can be applied for them.
Drop the us vs them thinking - it doesn't help is pretty much just FUD.
Cheers,
Ian
sooo... open source failed? that's what it sounds like you're saying. beware of pitchfork carrying moderators ;)
I can only agree to this. Enterprise readyness is difficult to quantify, and nothing is completely bug free.
Now this bug seems pretty basic and important, but then there are (or at least were) bugs like that in a lot of systems, and it is fairly impressive to see that these are corrected in this few a time.
If I'm wrong, please correct me ; learning is better than being right.
"Enterprise" means you don't blindly install updates on day 0.
Do you even lift?
These aren't the 'roids you're looking for.
The bugs would have been there even if Apple hadn't found them. Why not thank them for improving the quality of Ruby?
Mr. Period: Nine is the one that's right by ten!
Nine: One day I will kill him. Then, I will be Ten.
Sorry - forgot the *joke* tag...
Yes they have improved the quality of Ruby by doing this.
Acid House saves Souls
How did open source fail? Someone who wasn't the original author had access to the code and found the bugs. How quickly it's found is a function of how many qualified people are looking at the code. I didn't RTFA, but presumably Drew Yao, a member of the security team, was security auditing the code. This activity would have been much harder to impossible with closed source code.
I'd say the system worked as advertised here.
This, IMHO, goes to show that Ruby isn't any better than the other Open Source interpreted languages. Despite what the Ruby fanboys allways claim, it is actually far less mature then, let's say, Python or PHP.
A matured, tested and established mod_ruby, unicode and a few years more in the field is what Ruby needs before I take a look at it.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
A vulnerability in an open source project was found by a third party doing a security audit of the code. The possibility to validate the source code is exactly what open source proponents claim is the reason for open source being more secure. Everybody can have a go, a thousand pairs of eyes see more than one pair, and all that. Try auditing Visual Basic 6 for comparison.
Now it's time to start calling up all those RoR sites and use this to convince them to switch the Django.
God invented whiskey so the Irish would not rule the world.
Agreed. It also usually doesn't refer to a programming language or environment. At any rate, "enterprise" applications have historically been written in a bunch of languages that don't do array bounds checking. Granted, ruby is supposed to do it, but I mean, seriously - are kids these days so spoiled by JavaScript and VB that this kind of error is a surprise and the biggest bug ever?
No, "Enterprise ready" means they didn't have to deal with that shit on Star Trek.
Try out fish, the friendly interactive shell.
Bugs this simple shouldn't occur on software like this, especially one which is suppose to be wide spread.
If they can't get something this simple right then what else are they doing wrong?
This activity would have been much harder to impossible with closed source code.
I'd say the system worked as advertised here.
Yup, because Microsoft certainly never have exploits such as these discovered...and I for one get really tired of all the Sun Java updates. One particular update path I have to go through with some machines requires downloading 5 or 6 java updates, at 35-50mb EACH, as java trampolines itself up to the latest version.
I work for the Department of Redundancy Department.
-- If you try to fail and succeed, which have you done? - Uli's moose
A testament to either how adopted the Ruby language is or the competency of the maintainers.
I'm rally not a troll; I think they are valid points.
Website Hosting
Ruby - it's the new PHP.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Actually, considering its age, Java DOESN'T have a "long" history of security patches. Java was designed by security freaks and the security both of the core language and the standard platforms is extensively vetted and tested by security professionals. Which is why you have to look long and hard for news reports of major security breaches in Java.
The Java system is considered to be an integrated whole and new releases have to pass an extensive suite of tests before they are certified. Yes, it's a royal pain in the [censored] to have to download an entire enormous new release of the runtime engine and support classes, but the upside is that you don't get the kinds of security and reliability issues that come from a mix-match-and-patch approach. There's only a small number of possible configurations to keep clean.
Case 1: the code has no bugs: "many eyes make for shallow bugs!" everyone chants.
Case 2: the code has bugs which get reported and fixed. "See, this would have taken much longer if the source was closed!" This claim is impossible to verify objectively but is stated as a fact, regardless of how trivial the bugs are.
Apple finds serious bugs in Ruby. They tell the Ruby developers. Ruby developers issue patches. That's not sensational.
MS finds a bug in Safari. They tell everyone not to use Safari. I see slight differences. :P
Well, there's spam egg sausage and spam, that's not got much spam in it.
How did open source fail? Someone who wasn't the original author had access to the code and found the bugs.
Who says he was the first to find the bugs - he's just the first not not use the exploit to crack servers.Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
I didn't say anything about Microsoft. Obviously there are, but the source is much more difficult to obtain. If the source can't be obtained, auditors must use more difficult types of testing, or just hope that the vendor did their job correctly.
My only point was that Apple would have a much more difficult time auditing, say, Office for Mac, than they would with Ruby due to the requirement for source code agreements or using more arcane methods like blackbox testing or disassembly. The same applies to Photoshop, Flash, or any other 3rd party closed-source app.
The victory here is that Ruby was improved by a 3rd party who had ready access to the source. When the source is available, this will happen much more often than when it's not.
That's a good point. I don't claim to be sure of anything except that, had the source not been available, those bugs would probably still exist.
In other words, the lifetime of the bugs is substantially decreased. In closed-source apps, less people can audit it, which necessarily means that there's a smaller pool of nice, cooperative people to find the bug.
The people with a financial incentive will still find exploits like they always do -- open or closed.
Huh? Who lets users enter arbitrary integers to index into arrays? Or let's users submit arbitrary loops for execution? Apart from the statement quoted above, what indication is there that any of these would "crop up" in any but the most contrived circumstances?
--MarkusQ
If 1 = 1 Then End Tell me, oh great Flamebaiter-modded-interesting, how this 'fundamentally flawed' programming language will insecurely compile the above code. The proper order of progression is: Think, Speak.
I never claimed he was the first. The point was that these were found *quicker* than if it was solely up to the original authors to find the bugs. "Quicker" is a relative term compared to the alternative. It doesn't mean "first", and it doesn't mean "quick".
Good maybe it and all the "Web 2.0" assholes will go away with it.
"Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
1. If the interpreter is supposed to do it, except it then turns out it actually doesn't (or doesn't do it correctly), then yes.
2. If the problem occurs in something that is a part of the language itself, or at least part of its standard library/built-in types, or, however you want to define it, if it is in the set of stuff that everyone who has the language installed has installed, and the functionality is used in pretty much any program ever written in the language, then yes.
So, yes.
Every expression is true, for a given value of 'true'
I did some testing on an off line server, and then pushed these patches.
I am concerned about "Ruby the Platform". I have dealt with deployment and scaling issues for a few years on a customer project written in Rails + Common Lisp, and as much as I *love* coding in Ruby and Lisp, this experience has also made me appreciate "Java the platform" :-)
The difference is who finds them and what happens when they are found. Vulnerabilities in Microsoft products are found either by accident (I pass you some data which should be valid and you choke, or I pass you some data which should be invalid and you don't choke, or you just crash instead of detecting the invalid data and throwing an exception or local equivalent, which is what you SHOULD do EVERY TIME) or by malicious motherfuckers deliberately looking for the above conditions, or disassembling the code and looking for potential race conditions.
By contrast, bugs in open source products are found by looking at the source code and by the above means. But the difference is that the number of non-malicious individuals looking at the code is far larger. So basically, all the same things happen in both places, but the first person to find the bug is more likely to be altruistic in the open source world; and furthermore, the bug is more likely to be found by an altruist at all (ever) in the open source world. You can be sure that a number of Microsoft bugs have been fixed silently without anyone ever announcing them... Which means only the malicious types know they exist, and people who don't patch unless they feel they have to are exposing vulnerabilites that they have no real way to find out about because they lack the requisite time and/or skills to test for such problems.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Where exactly did they tell everyone to not use Safari? In fact, I believe that MS reported the vulnerability to Apple and helped them understand why it needs to be fixed.
This reminds me of the notorious suidperl vulnerability from back in the day. In a nutshell, you could use the following code to achieve a root shell from an unprivileged account (apologies if I don't get it exactly right... I don't have an ancient system to verify on):
That was available for how many years? Anyhow, that's much more serious than this Ruby DoS attack.They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Because dishonest hacking cartels would never look at microsoft source code!
IranAir Flight 655 never forget!
Well, there's spam egg sausage and spam, that's not got much spam in it.
The same people that let remote users enter arbitrary data into an SQL query [...]
You mean "if you're stupid enough to let someone sneak arbitrary Ruby code in via a form, then they can use this complex memory corruption attack instead of just opening up a backdoor shell"? Or what?
Well, Windows has a waaaay worse track record yet it's used by 90+% of businesses.
Try auditing Visual Basic 6 for comparison.
Please! Even the lead programmer of the language would feel insulted if asked to do that.If we compare apples to apples which in this case would be Ruby to the .Net platform, then you are wrong. The source code is easily viewable with tools like Reflector. Also MS has set up symbol servers so that you can trace through the libraries in a debug environment.
Frankly, it's not reasonable to expect them to - that's like comparing apples to ... Boeing jets. I suspect if the Windows was the size and complexity of Ruby, they'd be able to get fixes out just as quickly.
Look at almost every security advisory issued out there. "Remedy: Do not/restrict usage of X until bug is resolved".
Making this a stab at MSFT just shows you up as an Apple fanboy.
They would reveal their Symbols? The very symbols of their code!? This is truly magnanimous gesture indeed! But alas, I fear I'm not worthy to log into a server of such patrician caliber.
*more quickly*
.NET had at least one exploit which allows execution of arbitrary native code from a verified (i.e., supposedly safe) assembly regardless of CAS restrictions. On the other hand, it's nowhere as trivial as the array and string abuse demonstrated here on Ruby.
Are agnostics skeptical of unicorns too?
I LOVE ruby as a language, but let's be realistic here. All you need for a DOS attack against a ruby-based web application of any complexity is a few dozen users using it as intended. No need to waste time figuring out complicated exploits for that.
I'm sure lots of bugs that have potential security implications get quietly fixed (fixed without a security advisory being sent to the distros) in the opensource world too either because the project has a very tight definition of what they count as a security bug (e.g. insisting on a working code execution exploit before considering a bug a security issue), because the project has no mechnism in place for sending security advisories or simply because the people dealing with the bug don't understand it's security implications. Some may even explicitly cover up security issues. (this is one area where it is virtually impossible for an outsider to distinguish between a mistake and a deliberate act).
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Yes, even more so with the mindless popularity of Ruby among the programming anti-elite. The thousands of tutorial screencasts teaching non-programmers "how to build a blog in 5 lines" have led to an explosion of horrible sites that every self-respecting coder and/or security analyst dismissed as a big gaping hole.
As it turns out, we were right. How these obvious flaws weren't spotted sooner, that's the true mystery.
-Billco, Fnarg.com
what system is this? At least on windows I have never had a problem just downloading the latest java installer from sun and running it regardless of what if any version of sun java was on the machine before.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Everyone is stupid except for you. You never had made a stupid mistake or had a bug or a volnerability.
Oh no, I've been stupid, often enough. I'll happily admit that, because concentrating on the "stupid" but is completely missing the point.
The point isn't that it's stupid to worry about buffer overflows.
The point is that the mechanism you're talking about, code injection attacks similar to the SQL injection attacks, don't need buffer overflows. Because once you've pulled a Ruby code injection attack you've already got full control. It's like the skit about the burglar who needs a knife, so he opens the kitchen door of the house he's breaking into, grabs a knife, then goes back out to work on the window he's trying to lever open...
Maybe it is popular because it is easy?
If the programming elite are so clever they would have come up with something that allow developers to prototype and put in production things quickly.
You may be right in regards to security, but patronizing people about how they are trying to fulfil a real practical need is frankly beyond the pale.
IANAL but write like a drunk one.
Basic, COBOL and Visual Basic at some point were all the most popular languages (shudder).
And as always, ruby detractors keep to themselves those catastrophic inherent problems that are glaringly obvious ....
IANAL but write like a drunk one.
Oh yes it is.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Look at almost every security advisory issued out there. "Remedy: Do not/restrict usage of X until bug is resolved".
Making this a stab at MSFT just shows you up as an Apple fanboy.
Ignoring that there is a much bigger hole in IE that the Apple bug makes a tiny bit easier to trigger shows you up as what then?Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Bite my shiny metal ass. :-P
Yip, the number one problem in Ruby today is the sheer number of trolls it attracts.
Fortunately I hear Matz is going to make Proc.kill_troll part of the standard library in the next release.
It's even easier in Linux... just unpack the archive and move the resulting JDK/JRE directory to where you want it. But that's still a lot more fuss than getting it as part of the system update as you do with the "open" platforms. That's another reason OpenJDK is so welcome.
Sam ty sig.
Um, what? Can't you just look at the disclosures? Why do I have to spoonfeed you the facts? Are you seriously suggesting even one of the mentioned platforms has had a flawless security record?
Sam ty sig.
How so? What array? Where does the user specify the integer? Where in the code is this indexing done (I assmue you're talking about Rails, unless you're just blowing smoke)? On the face of it, your claim here makes no sense.
--MarkusQ
You asserted that Python has a glowing security record compared to Java and .NET. I don't buy it. Prove it. You state things as facts with zero evidence to back it up. In the future, I suggest you not make such assertions unless you can back it up when someone calls you on it. For the record, I will call you on it every time.
Are agnostics skeptical of unicorns too?
You're exaggerating the risk of the Java JVM and particularly .NET quite a bit.
If you look at the security hole history of .NET 1.1, .NET 2.0, and .NET 3.0, you'll notice an almost perfect history.
The only true easy own your box was the JPEG parsing vuln that affected a ton of MS products, and that hit .NET as well, due to shared code/modules.
The JVM has been less close to perfect, but its not too bad. You can read about them for JRE 1.4, JRE 1.5/5, and JRE 1.6/6.
I would also say that its not an apples to apples comparison. Most of the vulns in .NET and Java have been not in the core language itself, but in the web-applet piece, or in image handling or similar parts of the libraries built in. These are much larger than the built-in libraries that Python ships with.
I'm not trying to start an argument of who has the most possible libraries, including 3rd party, but just pointing out that the default shipment of Java and .NET comes with alot more 'stuff', which widens the attack surface area.
I think you need to look at the disclosure histories yourself.
Assuming all things are equal, .NET has by far the best record. Python in the middle (by raw count), and Java at the end.
Mind you, Python has two 'own your system' unpatched vulnerabilities right now, that are between 6 and 9 months old and still unpatched. They could be less serious than secunia makes them out to be, however, I'm not familiar enough with them to say off the top of my head.
Python 2.3.x
Python 2.4.x
Python 2.5.x
Python 2.6.x
I'm not going to do it again here, but I also looked at and linked to the secunia listings of .NET and Java in a post just above here. .NET has an excellent record. Java less so, but still not terrible.
Nice job with the random hyperbole there.
Lets report on this more accurately:
Apple finds serious bugs in Ruby. They tell the Ruby developers. Ruby developers issue patches. MS finds a bug in Safari. They tell the Apple developers. Apple developers say they wont patch it soon. MS then tells everyone not to use Safari until its fixed. You're right in that its not the same situation, but when you put all the facts in, rather than trying to cast a one-sided light on the situation, its alot clearer.PS, the funky quoting style is slashdot's recent bugfest that ignores hard returns thats cropped up lately.
Anything that lets arbitrary attackers write arbitrary files to protected locations on the local system is worse than IE loading DLLs from known locations.
Why? Simply because if you're able to write files to the computer (outside of cookies and temp) just by having someone visit a website then you've largely owned the computer at that point.
The only thing that restricts the scope of the apple bug is that it only writes to the desktop (which is a stupid auto-download location).
IE's issue with loading DLL's IS stupid, but by itself is a complete non-issue.
Whereas Apple's bug by itself is still problematic.
To be fair though, MS IE has had a very turbulent history when it comes to drive-by file dropping onto the local system. But in this specific case, I would disagree with your statement.
I'd wager that VB6 is probably fairly safe.
Fundamentally flawed language in many ways, definitely :). But probably fairly safe.
My Parent is getting modded all the way up and down the scale.
Looks like I struck a cord right there. Hehe.
Flamewar-A-GoGo!
We suffer more in our imagination than in reality. - Seneca
Anything that lets arbitrary attackers write arbitrary files to protected locations on the local system is worse than IE loading DLLs from known locations.
You would have an argument if the Desktop were a "protected location" - it isn't.Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
It is more complex than that. FOSS does not guarantee a given project will be examined - it only provides the opportunity.
Other factors determine the extent of examination: popularity, criticality, etc.
The Linux kernel and Firefox are regularly combed and bugs reported because they are both popular and critical infrastructure.
There are many more projects that don't get combed as often or as thoroughly, and there are legion that don't get examined at all. Ruby falls in here somewhere.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Broad, very broad claims backed up by no evidence at all. Parent doesn't need any evidence to claim that "VB6 is completely insecure". Not just insecure mind you, no: completely insecure. There's apparently no VB6 statement thinkable that will compile to something without security holes. *rolls eyes* And oh, don't forget that "the entire language was fundamentally flawed". That's right - no single statement does what it's supposed to and all the people who loved the language should be locked up in an insane asylum.