The Ruby programming language is impacted by a similar “deserialization issue” that has affected and wreaked havoc in the Java ecosystem in 2016; an issue that later also proved to be a problem for .NET and PHP applications as well. The issue at the heart of this problem is how Ruby handles the process of serialization –and its counterpart, deserialization. Serialization is the process of converting a data object into a binary format so it can be sent over a network, stored inside a database, or saved on disk. As you might imagine, deserialization is the opposite process, of reversing a binary blob back into its data object structure that can then be fed back into the programming language for further processing at a later date. Almost all programming languages support serialization and deserialization operations. Some might use different names for these processes, but the concept is found in almost all. For example, in some Ruby documentation files, some developers refer to serialization and deserialization operations under the terms of marshaling and unmarshalling data. Serializing and deserializing data is a common operation in many web or desktop applications, mainly because it’s an incredibly easy and fast way of moving data between apps or different programming mediums. But security researchers have sounded the alarm about the improper usage of these two operations. It’s now been known for years that this process could be targeted to trick applications into running malicious commands, especially when user-supplied data is fed directly into a serializer… [Read full story]
ZDNet is a business technology news website published by CBS Interactive, along with TechRepublic. The brand was founded on April 1, 1991, as a general interest technology portal from Ziff Davis and evolved into an enterprise IT-focused online publication owned by CNET Networks.