Attackers are exploiting a vulnerability in the Ruby on Rails (RoR) web application framework to hijack servers for use in botnets, despite the fact that a patch was released around four months ago.
In January, researchers warned that more than 240,000 websites that use RoR web applications were at risk after longstanding vulnerabilities in the web programming framework were revealed.
The vulnerabilities (CVE-2013-0155 and CVE-2013-0156) deal with how data entered by the user is parsed and handled by the RoR application.
All RoR users were warned to upgrade immediately to a patched version of the software to avoid the risk of full remote code execution against any RoR application.
But according to a blog post by security researcher Jeff Jarmoc, RoR CVE-2013-0156 has recently been exploited in the wild.
“It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails,” he wrote.
Read more about Ruby on Rails
According to Tal Be’ery, web research team leader at security firm Imperva, there are three main reasons why the exploited servers' owners have not applied the patch, although they had four months to do so.
First, the administrators did not know about the vulnerability or the patch. This shows the importance of keeping up to date with known vulnerabilities and threats.
Second, there was no automated patching system in place. Automatic hot patching from a web application firewall solves all these issues, said Be’ery, as it empowers the security officer or administrator to protect the web application automatically.
Third, the administrator may have wanted to install the patch, but was prevented from doing so, due to development team requirements. Security updates are commonly delayed or postponed indefinitely because the business is concerned about something breaking, said Be’ery.