Apple security team finds code execution holes in Ruby

Summary:A member of Apple's security team has discovered multiple serious security vulnerabilities in Ruby, the popular open-source scripting language.According to an advisory on the Ruby project site, Apple's Drew Yao reported at least six of the vulnerabilities, which can be exploited to cause a denial-of-service  condition or the execution of arbitrary code.

Code execution holes in Ruby
A member of Apple's security team has discovered multiple serious security vulnerabilities in Ruby, the popular open-source scripting language.

According to an advisory on the Ruby project site, Apple's Drew Yao reported at least six of the vulnerabilities, which can be exploited to cause a denial-of-service  condition or the execution of arbitrary code.

The issues were confirmed in the 1.8 and 1.9 versions of Ruby.  Patch download locations can be found in the alert.

Ruby, initially developed and designed by Yukihiro "Matz" Matsumoto, is the interpreted scripting language for quick and easy object-oriented programming.

UPDATE:  Over on the Matasano Security blog, Thomas Ptacek Eric Monti describes some of these vulnerabilities as "disturbing."

These vulnerabilities are likely to crop up in just about any average ruby web application. And by “crop up” I mean “crop up exploitable from trivial user-specified parameters”. It’s not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input. Unlike un-handled ruby exceptions getting raised, these bugs aren’t the fault of the programmer as much as the fault of the interpreter. Part of the unwritten “contract” with your interpreted language is that it will prevent you from letting ridiculous things happen by raising an exception.

Weaponizing these for code-execution may or may not be trivial (we’re looking into this too, — keep you posted). But even a class of DoS attacks this trivial would be horrible enough.

Topics: Apple, CXO, Software Development

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.