Trustwave researchers have discovered a vulnerability in RubyGems, a software distribution programming language that's used for many payment processes.
Businesses, startups or technology companies using RubyGems for software distribution need to update software to keep criminals from feeding malware into user systems to complete data breaches, Chicago-based Trustwave reported in a June 23 blog. The vulnerability could affect up to 1.2 million software installations a day, or 438 million a year, Trustwave said.
The RubyGems software allows users to download, install and use Ruby software packages, or gems, on their systems. Ruby gems are used to help automate tasks and speed up work along a network. "A Ruby gem might do anything for a payment gateway," said Jonathan Claudius, lead security researcher at Trustwave.
Because a Ruby gem is simply a way to distribute software, "it could be any and all parts of a payment gateway technology."
Trustwave researchers and maintainers of RubyGems have fixed the vulnerability, but current users must incorporate updates. But it has a catch, Claudius said.
"The trick with this vulnerability is that it also affects the update mechanism itself," Claudius added. "When you go to update, you take the same risk as if you would be installing a gem, because Ruby gem updates are provided as gems."
A Ruby gem is a standard packaging format used for Ruby libraries and applications, allowing Ruby software developers a clear format to build and distribute software.
An end user unaware of the problem with RubyGems can unknowingly be led to a server controlled by criminals, who in turn can feed the end user malware to compromise the computer and gain access to all of the victim's sensitive information.
Among other steps outlined in the Trustwave blog, users should upgrade the RubyGem client in all Ruby environments to 2.4.8 or greater, Trustwave recommends. They should also verify all Ruby gem sources are using HTTPS.
Trustwave collaborated with researchers at OpenDNS to determine the potential harm with software installations.
The headlines generated by Trustwave and other researchers, as well as high-profile breach reports, are heightening security and breach awareness, particularly among the largest merchants, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"Unfortunately, because it's the largest merchants that make the headlines, I think there is a huge swath of small and midsize merchants that don't think they are at risk," Conroy said. "They have absolutely no idea that they also represent a very attractive target for cybercriminals."
Smaller merchants typically have weaker security because it is more difficult for issuer analytics to "isolate a common point of compromise that only has 20,000 breached cards vs. 20 million," Conroy said. "It's death by 1,000 tiny cuts, and still highly profitable for the crime rings behind these attacks."
In April, Trustwave reminded merchants that the Payment Card Industry security standards upgrade to 3.1 would call for a change in Web connections from the common Secure Socket Layer to a more secure version of Transport Layer Security, or TLS.
Recent cyber-attacks exposing a vulnerability in SSL forced payment processors and security vendors to spread the word quickly to merchants about the needed security upgrade.