How not to manage a vulnerability

Posted on Friday, August 11, 2006 in Ruby On Rails

Following on from my previous posts, Ruby on Rails 1.1.6 is now out along with full disclosure of the vulnerability. There is also a new Rails security announcement mailing list which can only be A Good Thing™.

However whilst I think their speed of reponse has been excellent, their initial “security through obscurity” stance was inappropriate for both a) an Open Source project and b) one written in an interpreted language, and the rapid succession of releases implies they reacted too hastily.

The issue is in fact of such a criticality that we’re not going to dig into the specifics. No need to arm would-be assalients[sic].

…means nothing.

Regarding security through obscurity, we’ll release the full details of this issue once everyone has had a fair chance to upgrade their system. Source transparency is of little comfort if you just had your system compromised before you got a chance to apply the patch.

… means nothing too. Anyone wanting to know how the vulnerability worked (i.e. attackers) simply looked at the source, whilst the people not sure if they needed to upgrade right now were left in the dark unless they knew the internals of Rails intimately (i.e. not many).

Fortunately for me, the applications hosted here are low traffic and a brief downtime was acceptable to remain secure but I bet this was a real headache for the large Rails driven sites.

Comments
2
Tags: rubyonrails, security

Mandatory Upgrade

Posted on Thursday, August 10, 2006 in Ruby On Rails
They might want to replace that one

"They might want to replace that one" by Unhindered by Talent

Following the advice of the Rails core team, I have upgraded my server to run Ruby on Rails 1.1.5:

This is not like “sure, I should be flossing my teethâ€. This is “yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hourâ€. It’s not a suggestion, it’s a prescription.

Seeing as I’m currently only hosting two rails applications – this blog and Flickrlilli (which was used to source the above image) – I deemed it a fairly safe thing to do. I also took the opportunity to update this blog to Typo edge (revision 1208 to be precise).

Both upgrades were completely painless and had the minimum of downtime which is always a nice thing.

Comments
0
Tags: flicklilli, rubyonrails, security, typo

My music selection makes last.fm look good

No images to display

Recent comments

accountinghomework help: Good website in your company and this is important thought for our business. Tha... erniejunior: Hello, I also have a compaq mini 700 and I had problems with upgrading from u... David Barnes: Two options: Google Sites and Ning. Ning makes it easy to create something that ...

This theme was designed by Chris Wallace and is licensed under the GNU General Public License.

Check out his cool WordPress Themes. Released by Six Revisions in the year of the rat.

Mobilized by Mowser Mowser
Mobilytics