14 DAY TRIAL // In early January, Ruby on Rails was updated to address a security hole that could be exploited by cybercriminals to bypass authentication systems, inject arbitrary code, and even perform DOS attacks against Rails applications.
Many users have failed to update their installations and cybercriminals are now leveraging the vulnerability to hijack servers, Art Technica reports.
According to security researcher Jeff Jarmoc, cybercriminals are exploiting the flaw to download and execute a number of malicious files on impacted servers, and ultimately turn the infected machine into a botnet zombie.
“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers. There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands,” Jarmoc noted in a blog post.
You can download the latest version of Ruby on Rails from here.