Monday, June 23, 2008

Ruby vulns: its been 3 years in the making

After a busy weekend, I come back to the magic of RSS to find multiple security holes in Ruby. I had heard about this last week but could not find any details. It seems that more information comes in the form of an Apple Security team member, Drew Yao, who made the discoveries. You can read more about it at Matasano or from ruby-lang.

These finds are very cool and I have always been interested in bugs in interpreted languages mostly because people think they are a “more secure” standard by some folks because they think the memory corruption angle is no longer an issues.

The first time I saw anybody publicly talk about this problem and a potential attack was Blackhat Tokyo by Dom Brezinski. Actually when I say “I saw the talk” I mean I was sitting next to him in the speaker room discussing the problem afterward because I was giving a talk opposite of him on how to break security tools. The previous statement is to head off the trolls who will undoubtedly comment about my lack of actually seeing the talk because I was scheduled at the same time.

No comments: