Slashdot Mirror
Multiple Security Holes In Ruby 1.8, 1.9
ruphus13 notes a six-pack of serious vulnerabilities discovered in Ruby by a member of Apple's security team, Drew Yao. Patches are linked from the ruby-lang.org advisory. "With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code... These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters.' It's not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input."
I can see the blood now!
That's really not the story. The story is how simple the exploits were and yet, how long it took to be discovered.
Then what is? Sun Java and Microsoft .NET have both had long histories of security patches. Python is a lot better but nothing is perfect.
At least with a Linux Python/Ruby you get the security fix within hours as part of your regular operating system update. With Java you have to download the whole thing again from Sun's site. With .NET you have to wait for patch tuesday or apply a hotfix manually.
Sam ty sig.
The real story here is how quickly the bugs were patched. I'd like to see MS respond half as fast to holes in Windows and it's attendant parts and pieces.
No. The real story here are the security bugs, precisely as described. This isn't cheerleading - to users of Ruby it really doesn't matter how fast some other imagined patch might have come out from another company for a different product. If I'm running Ruby, I need to know that these bugs exist and that patches can be applied for them.
Drop the us vs them thinking - it doesn't help is pretty much just FUD.
Cheers,
Ian
sooo... open source failed? that's what it sounds like you're saying. beware of pitchfork carrying moderators ;)
"Enterprise" means you don't blindly install updates on day 0.
Do you even lift?
These aren't the 'roids you're looking for.
The bugs would have been there even if Apple hadn't found them. Why not thank them for improving the quality of Ruby?
Mr. Period: Nine is the one that's right by ten!
Nine: One day I will kill him. Then, I will be Ten.
How did open source fail? Someone who wasn't the original author had access to the code and found the bugs. How quickly it's found is a function of how many qualified people are looking at the code. I didn't RTFA, but presumably Drew Yao, a member of the security team, was security auditing the code. This activity would have been much harder to impossible with closed source code.
I'd say the system worked as advertised here.
This, IMHO, goes to show that Ruby isn't any better than the other Open Source interpreted languages. Despite what the Ruby fanboys allways claim, it is actually far less mature then, let's say, Python or PHP.
A matured, tested and established mod_ruby, unicode and a few years more in the field is what Ruby needs before I take a look at it.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
A vulnerability in an open source project was found by a third party doing a security audit of the code. The possibility to validate the source code is exactly what open source proponents claim is the reason for open source being more secure. Everybody can have a go, a thousand pairs of eyes see more than one pair, and all that. Try auditing Visual Basic 6 for comparison.
Now it's time to start calling up all those RoR sites and use this to convince them to switch the Django.
God invented whiskey so the Irish would not rule the world.
Agreed. It also usually doesn't refer to a programming language or environment. At any rate, "enterprise" applications have historically been written in a bunch of languages that don't do array bounds checking. Granted, ruby is supposed to do it, but I mean, seriously - are kids these days so spoiled by JavaScript and VB that this kind of error is a surprise and the biggest bug ever?
No, "Enterprise ready" means they didn't have to deal with that shit on Star Trek.
Try out fish, the friendly interactive shell.
This activity would have been much harder to impossible with closed source code.
I'd say the system worked as advertised here.
Yup, because Microsoft certainly never have exploits such as these discovered...-- If you try to fail and succeed, which have you done? - Uli's moose
Ruby - it's the new PHP.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Actually, considering its age, Java DOESN'T have a "long" history of security patches. Java was designed by security freaks and the security both of the core language and the standard platforms is extensively vetted and tested by security professionals. Which is why you have to look long and hard for news reports of major security breaches in Java.
The Java system is considered to be an integrated whole and new releases have to pass an extensive suite of tests before they are certified. Yes, it's a royal pain in the [censored] to have to download an entire enormous new release of the runtime engine and support classes, but the upside is that you don't get the kinds of security and reliability issues that come from a mix-match-and-patch approach. There's only a small number of possible configurations to keep clean.
Case 1: the code has no bugs: "many eyes make for shallow bugs!" everyone chants.
Case 2: the code has bugs which get reported and fixed. "See, this would have taken much longer if the source was closed!" This claim is impossible to verify objectively but is stated as a fact, regardless of how trivial the bugs are.
Apple finds serious bugs in Ruby. They tell the Ruby developers. Ruby developers issue patches. That's not sensational.
MS finds a bug in Safari. They tell everyone not to use Safari. I see slight differences. :P
Well, there's spam egg sausage and spam, that's not got much spam in it.
I didn't say anything about Microsoft. Obviously there are, but the source is much more difficult to obtain. If the source can't be obtained, auditors must use more difficult types of testing, or just hope that the vendor did their job correctly.
My only point was that Apple would have a much more difficult time auditing, say, Office for Mac, than they would with Ruby due to the requirement for source code agreements or using more arcane methods like blackbox testing or disassembly. The same applies to Photoshop, Flash, or any other 3rd party closed-source app.
The victory here is that Ruby was improved by a 3rd party who had ready access to the source. When the source is available, this will happen much more often than when it's not.
Huh? Who lets users enter arbitrary integers to index into arrays? Or let's users submit arbitrary loops for execution? Apart from the statement quoted above, what indication is there that any of these would "crop up" in any but the most contrived circumstances?
--MarkusQ
1. If the interpreter is supposed to do it, except it then turns out it actually doesn't (or doesn't do it correctly), then yes.
2. If the problem occurs in something that is a part of the language itself, or at least part of its standard library/built-in types, or, however you want to define it, if it is in the set of stuff that everyone who has the language installed has installed, and the functionality is used in pretty much any program ever written in the language, then yes.
So, yes.
Every expression is true, for a given value of 'true'
I did some testing on an off line server, and then pushed these patches.
I am concerned about "Ruby the Platform". I have dealt with deployment and scaling issues for a few years on a customer project written in Rails + Common Lisp, and as much as I *love* coding in Ruby and Lisp, this experience has also made me appreciate "Java the platform" :-)
The difference is who finds them and what happens when they are found. Vulnerabilities in Microsoft products are found either by accident (I pass you some data which should be valid and you choke, or I pass you some data which should be invalid and you don't choke, or you just crash instead of detecting the invalid data and throwing an exception or local equivalent, which is what you SHOULD do EVERY TIME) or by malicious motherfuckers deliberately looking for the above conditions, or disassembling the code and looking for potential race conditions.
By contrast, bugs in open source products are found by looking at the source code and by the above means. But the difference is that the number of non-malicious individuals looking at the code is far larger. So basically, all the same things happen in both places, but the first person to find the bug is more likely to be altruistic in the open source world; and furthermore, the bug is more likely to be found by an altruist at all (ever) in the open source world. You can be sure that a number of Microsoft bugs have been fixed silently without anyone ever announcing them... Which means only the malicious types know they exist, and people who don't patch unless they feel they have to are exposing vulnerabilites that they have no real way to find out about because they lack the requisite time and/or skills to test for such problems.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This reminds me of the notorious suidperl vulnerability from back in the day. In a nutshell, you could use the following code to achieve a root shell from an unprivileged account (apologies if I don't get it exactly right... I don't have an ancient system to verify on):
That was available for how many years? Anyhow, that's much more serious than this Ruby DoS attack.They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I LOVE ruby as a language, but let's be realistic here. All you need for a DOS attack against a ruby-based web application of any complexity is a few dozen users using it as intended. No need to waste time figuring out complicated exploits for that.
Oh yes it is.
Look at almost every security advisory issued out there. "Remedy: Do not/restrict usage of X until bug is resolved".
Making this a stab at MSFT just shows you up as an Apple fanboy.
Ignoring that there is a much bigger hole in IE that the Apple bug makes a tiny bit easier to trigger shows you up as what then?Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck