Security issue makes some 200,000 websites vulnerable to malicious attacks

Security issue makes some 200,000 websites vulnerable to malicious attacks

Jan. 10, 2013 Anders Innovations

Late on Tuesday night a message was sent to the Ruby on Rails security discussion list, which undoubtedly sent shivers down the spines of web developers using Rails around the world.

Several different developers had spotted a critical security problem in the Rails source code. News of a horrible vulnerability affecting plethora of websites spread like wildfire through developer news and discussion sites, such as Hacker News.

Based on the Ruby programming language, Ruby on Rails acts an open source web application framework.  To put it simply, it’s used as a platform for building dynamic websites.

The discovered vulnerability makes it possible for malicious attackers to execute outside code on the sites, which could mean, for instance, deleting files from the server, modifying information, performing SQL injections or denial-of-service attacks.

Six-year-old bug

Rails is hardly some obscure piece of software that no-one should care about. It’s in fact extremely popular and widely used globally. Ars Technica, acclaimed technology news site, estimated that the bug threatens more than 200,000 sites.

Sites such as the highly popular software development hosting service GitHub and on-demand video streaming service Hulu were affected. Rails is also used by services such as Yammer, Scribd, Groupon and Shopify.

To make matters worse, it was quickly discovered that the bug affects all versions of the software released during the last six years. The blow the bug has caused to Rails’ reputation as a well-designed and secure system is uncontested.

Rails developers urge for updates

The Rails community has done pretty much all it can do at this stage. They quickly offered a patch fixing the issue, and further provided instructions to work around the problem in case the system could not be updated. Rails developers pleaded for websites running their code to update their systems immediately.

Anders Inno not affected

Anders Inno’s products and services do not use Ruby on Rails, but the competing Django web framework.

We do have information, however, the even in Finland several hundred websites run on vulnerable Rails versions. Some of these affected sites are notable on a national scale. So we also urge everyone running Rails based web services to update without further notice.