Apple security team finds code execution holes in Ruby

Apple security team finds code execution holes in Ruby

Summary: A member of Apple's security team has discovered multiple serious security vulnerabilities in Ruby, the popular open-source scripting language.According to an advisory on the Ruby project site, Apple's Drew Yao reported at least six of the vulnerabilities, which can be exploited to cause a denial-of-service  condition or the execution of arbitrary code.

SHARE:

Code execution holes in RubyA member of Apple's security team has discovered multiple serious security vulnerabilities in Ruby, the popular open-source scripting language.

According to an advisory on the Ruby project site, Apple's Drew Yao reported at least six of the vulnerabilities, which can be exploited to cause a denial-of-service  condition or the execution of arbitrary code.

The issues were confirmed in the 1.8 and 1.9 versions of Ruby.  Patch download locations can be found in the alert.

Ruby, initially developed and designed by Yukihiro "Matz" Matsumoto, is the interpreted scripting language for quick and easy object-oriented programming.

UPDATE:  Over on the Matasano Security blog, Thomas Ptacek Eric Monti describes some of these vulnerabilities as "disturbing."

These vulnerabilities are likely to crop up in just about any average ruby web application. And by “crop up” I mean “crop up exploitable from trivial user-specified parameters”. It’s not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input. Unlike un-handled ruby exceptions getting raised, these bugs aren’t the fault of the programmer as much as the fault of the interpreter. Part of the unwritten “contract” with your interpreted language is that it will prevent you from letting ridiculous things happen by raising an exception.

Weaponizing these for code-execution may or may not be trivial (we’re looking into this too, — keep you posted). But even a class of DoS attacks this trivial would be horrible enough.

Topics: Apple, CXO, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Wouldn't the best answer here to be Matthew 7:5?

    Why do you look at the speck that is in your brother's eye, but do not notice the log that is in your own eye?

    This would especially be valid after the applescript thing earlier this week or the pwn2own contest at cansecwest.
    i75
    • A better response might be...

      don't attack the messenger simply because you don't like the message. If there are security issues with Ruby what sense does it make attacking the person who found them? It would make a little more sense holding the developers of Ruby to account. I guess it's true what they say though...there's nothing common about common sense.
      jasonp9
      • I think he meant that

        they were quick to point out the flaws in somebody else's software, while never addressing or acknowledging the issues found in their own software.

        The "magician's misdirection" trick comes to mind.
        AllKnowingAllSeeing
        • So they should be quiet and not say anything? (nt)

          nt
          A Grain of Salt
    • response of biblical proportions

      Look at the positives to be gained from this, not blame the the people who discovered the flaw.
      As someone else has already pointed out this will make Apple look at their own code in Applescript for similar vulnerabilities.
      Quoting the bible is unnecessary pontificating.
      Pheck
  • RE: Apple security team finds code execution holes in Ruby

    Apple ships ruby as part of Mac OS X. Therefore they were looking at their own stuff.
    fermion12
  • RE: Apple security team finds code execution holes in Ruby

    Good. Glad they found it. Them finding it and pointing it out gives us all a chance to breathe easier. Now, isn't it amazing that nobody else out there found it? Apple's not the only company out there developing under Ruby, so...everyone else wake the F***-up! Sheesh.

    MM
    ceo8
  • RE: Apple security team finds code execution holes in Ruby

    Good. Glad they found it. Them finding it and pointing it out gives us all a chance to breathe easier. Now, isn't it amazing that nobody else out there found it? Apple's not the only company out there developing under Ruby, so...everyone else wake the heck up! Sheesh.

    MM
    ceo8