Very critical something or another in Ruby 1.1.4 (updated)

Ruby on Rails 1.1.4 suffers from a very serious security vulnerability. In the patch announcement the developers wrote:

The issue is in fact of such a criticality that we’re not going to dig into the specifics. No need to arm would-be [assailents].

They won’t even release vague technical details or tell what function(s) are vulnerable.

What they are obviously missing, is that the ‘would be assailents’ have spent the last day figuring out what the vulnerability is. After all, they have the non-vulnerable version (1.1.5) and the vulnerable version (1.1.4) and they can easily diff it. They’ve got the time to do it, and once they figure out how to exploit this, if the vulnerability is as critical as described, they may have a lot of fun with it. So very little is gained by hiding the details completely.

On the other hand, the good guys (us!), don’t have the vulnerability information, and don’t have the time (or the urge) to spend countless hours reverse engineering the patch. This is problematic for many reasons, some of which have been repeated countless of times in past full disclosure arguments:
1. Administrators will delay upgrading assuming there’s no exploit code in the wild (they are probably wrong)
2. Are you being attacked for that vulnerability? There’s no way for you to know – you don’t know what to look for!
3. Using a vulnerability scanning tool to search for vulnerabilities? Tough luck. VA tools can’t scan you for this problem since the VA vendors don’t know what to look for
4. Depending on an IDS? That’s a bad idea anyway, but in this case is completely useless (see reason #3)
5. Can’t upgrade right now? You’re a sitting duck, then, since you can’t create your own workaround for the problem
6. Trying to convince management to upgrade? Your best (and only) argument is “the Ruby team said we should do it”

The vulnerability information will leak out soon, and that will be way after the ‘bad guys’ already had it. Hiding information is just bad. Period.

update:
It seems the exploit is already here. Thanks goes to the anonymous commenter on linmagazine for the information.

Share