Seriously?

Malware stuffed into a USB battery charger?

This is just as bad as a trojan on a key fob and… smart phone? . Actually, this is worse because people don’t expect utility to run.

Is nothing sacred?

I’d just like to point out, being a big Mac-fan, that it would have been trivial to write an exploit Macs with this as well. Though it can be frustrated by enabling the Firewall. But face it, nobody (translate to not many) does but me.

Lessons lessons

What’s the lesson here? Don’t trust a battery company software? Don’t use autorun? I’m sure Microsoft thought that it sounded like a great idea way back in the day.

You auto-be-running

Apparently, autorun has been renamed to autoplay (<sarcasm>Where the heck have I been, what a change!</sarcasm>).

According to KB967715 they had it disabled in XP prior to SP2. Now it’s enabled for XP SP2+, Vista, and 7. However, for Vista and 7 users, it asks you if you want to auto-run it first.

Trust

Again, it’s about trust. Do you trust Energizer to make you software? Apparently not any more. Even if you have auto-run disabled, it appears as though you can still be compromised because you trusted the application to run. So, a Mac is just as vulnerable in this respect.

So the next time a peripheral decides to offer you friendly software: just say no!

Left unsaid

I’m sure there’s tons of room for comments such as: “It’s the manufacturers overseas!” and, while that MIGHT be true, it would be much better if we didn’t trust all these random devices and gadgets we have.

The error message

/public/../config/../vendor/rails/railties/lib/initializer.rb:271:in `require_frameworks': RubyGem version error: rack(1.0.0 not ~> 1.0.1) (RuntimeError)
	from /public/../config/../vendor/rails/railties/lib/initializer.rb:134:in `process'
	from /public/../config/../vendor/rails/railties/lib/initializer.rb:113:in `send'
	from /public/../config/../vendor/rails/railties/lib/initializer.rb:113:in `run'
	from /public/../config/environment.rb:9
	from /public/dispatch.fcgi:21:in `require'
	from /public/dispatch.fcgi:21

Old news?

If you have this problem, odds are you’ve been pouring over Google and you’re here because you have not resolved (comment #7) your problem. I’ve seen the “solutions” out there and they all claim: “Remove rack 1.1.0. Install rack 1.0.1”. I tried it and it didn’t solve my problem. The trick is, my error message was different. Also, most others are having trouble with WEBrick. I was having issues with lighttpd. I tried everything: commenting out line 23 in action_controller.rb (bad idea, by the way) in my vendor/rails/actionpack/action_controller/lib/action_controller.rb. Added gem ‘rack’, ‘= 1.0.1’ in dispatch.fcgi (moved the error message, but didn’t fix it).

The solution

Manually remove the residual rack-1.0.0 installation.

I will assume you’ve already tried:

sudo gem uninstall rack

Do be careful!

sudo rm -rf /opt/local/lib/ruby/gems/1.8/gems/rack-1.0.0
sudo gem install rack --version "= 1.0.1"

What happened?

The problem was that rack-1.0.0 wasn’t uninstalled completely. RubyGems thought it was, but it was still being included in the code. Why? Because it existed here:

/opt/local/lib/ruby/gems/1.8/gems/rack-1.0.0

wojno% gem list | rack
rack (1.0.1)

I don’t know how it was stranded there. I only use gem to add/remove gems, yet somehow it was left there to rot my brain while I’m under deadline.

Fun!

Keep in mind, I use MacPorts and keep it fairly updated.

Background

Lately, I’ve been updating my Mac and Linux systems (AS I SHOULD!) and I’ve been getting errors for the passed few months from my Rails-based applications. They’ll be 500 errors (server error).

The Problem

It seems that a Ruby1.9 (from Ruby1.8) update has added the function “chars” to the core String class. Unfortunately, Rails prior to version 2 (I have not had this issue with newer, Rails 2 projects, I can only assume it’s not an issue: consider it unconfirmed) uses this method/attribute in a Rails ActiveSupport extension that allows you to slice up strings in an easier way.

Specifically, the ActiveSupport library assumes that the String class does NOT define the “chars” function. However, with Ruby1.9, it does. This leads to a conflict of types. Rails wants to use an attribute (as defined with ActiveSupport), Ruby1.9 is offering a method. The method wins and Ruby thinks the result of “chars” is an enumerator when it’s really expecting a String. Under Ruby 1.8, String included Enumerable as a mixin module. In 1.9, String no longer includes this.

The Rails team saw a need for the method chars and created one in activesupport/lib/active_support/core_ext/string/unicode.rb, then the Ruby core team added their own to the string class. Thus the conflict and thus the error.

The Solution

I picked this up from various websites reporting the same issue. They’re just not easy to find. You need to insert this code into the config/boot.rb file in the affected application. I put it at the top.

# Fix for ./script/../config/../config/../vendor/
#rails/activerecord/lib/../../activesupport/lib/
#active_support/core_ext/string/access.rb:43:in
# `first':NoMethodError: undefined method `[]' for
##<Enumerable::Enumerator:0x103767ec0>
unless '1.9'.respond_to?(:force_encoding) 
String.class_eval do 
    begin 
      remove_method :chars 
    rescue NameError 
      # OK 
    end 
  end 
end 
# /Fix

It effectively removes the function “chars” from the String class that is added in from Ruby1.9. Hopefully, the Rails equivalent is the same and as or more secure.. But only does this if the String class has the method “force_encoding”. Why force_encoding? because it appeared in 1.9 along with “chars.” That’s the only link. So, should they remove “force_encoding” later, this fix won’t work any more.

Suggestions

Upgrade Rails to 2.0+ That should fix you up. Or avoid Ruby 1.9… I don’t recommend that though. They’ve isolated some of the core functionality into libraries. Ruby should have less of a memory footprint. I’d imagine there are security fixes .

It is also unfortunate that this situation occurred. I’m not sure how it can be avoided in the future. Things get updated. A little warning about them would be nice, however I’m actually amazed it hasn’t happened already. Kudos to the Rails/Ruby team.

Today, I received and e-mail from a hotmail account explaining how I won a prize. It’s a clone of the English lottery scam, but the supposed Microsoft Award Team is listed as the sender. I figured I’d do the responsible thing and forward it off to abuse@microsoft.com. However, I was shocked when I received the following reply from MY mail server:

This is the mail system at host mail.adtrackersolutions.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                  The mail system

<abuse@microsoft.com>: host maila.microsoft.com[131.107.115.212] said: 550
   5.7.1 <Your e-mail was rejected by an anti-spam content filter on gateway
   (131.107.115.212). Reasons for rejection may be: obscene language,
   graphics, or spam-like characteristics. Removing these may let the e-mail
   through the filter.> (in reply to end of DATA command)
Reporting-MTA: dns; mail.adtrackersolutions.com
X-Postfix-Queue-ID: 7718A48041
X-Postfix-Sender: rfc822; cwojno@.com
Arrival-Date: Sat, 12 Jan 2008 10:13:25 -0800 (PST)

Final-Recipient: rfc822; abuse@microsoft.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; maila.microsoft.com
Diagnostic-Code: smtp; 550 5.7.1 <Your e-mail was rejected by an anti-spam
   content filter on gateway (131.107.115.212). Reasons for rejection may be:
   obscene language, graphics, or spam-like characteristics. Removing these
   may let the e-mail through the filter.>

From: Christopher Richard Wojno <cwojno@.com>
Date: January 12, 2008 10:13:20 AM PST
To: abuse@microsoft.com
Subject: Fwd: CONGRATULATION!!!

OK, so I can’t tell Microsoft about spam because their spam filter refuses my message? That’s really stupid.