Personal Tech Pipeline | 'Greasemonkey' Firefox Extension Should Be Deleted

White Papers

Sponsor Resources

WebCasts
Free Newsletter GlossaryContact UsAbout Us
Players & CamsPhones & PDAsHome & AutoOnline

July 20, 2005

'Greasemonkey' Firefox Extension Should Be Deleted



Courtesy of TechWeb News

A vulnerability in the popular Greasemonkey extension to Mozilla's Firefox browser is so serious, said its developer, that users should either immediately uninstall the add-on or replace it with a neutered version.

Greasemonkey is an extension to Firefox that lets users change parts of a Web site with small bits of JavaScript. Hundreds of scripts exist, and range from one that eliminates all Flash objects to site-specific ones that, for instance, show prices in the user's local currency on Amazon.

The bug could let a malicious Web site read any local file on a Greasemonkey user's machine, or view the contents of all local drive directories, said Aaron Boodman, Greasemonkey's creator, on his blog.

"I'm working feverishly on a fix for this," said Boodman. "But [it] will take several days. In the meantime, I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely."

Greasemonkey 0.3.5 is a "neutered" version, added Boodman, that isn't open to exploit.

The bug was spotted by Mark Pilgrim, a programmer whose free e-book, Dive Into Greasemonkey," helped popularize the extension. Pilgrim also posted several working exploits to the vulnerability on mozdev.org's Greasemonkey mailing list.

"This particular exploit is much, much worse than I thought," Pilgrim wrote earlier this week on the list. "Running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. And Mac users don't get to gloat either; [they're] just as vulnerable. "At this point, I don't trust having it on my computer at all," Pilgrim continued in another message on the list. "I would think that whoever is in charge of addons.mozilla.org should immediately remove the Greasemonkey XPI and post a large warning in its place advising people to uninstall it."

Mozilla didn't follow Pilgrim's advice, but did offer up Boodman's crippled 0.3.5 versions.

Although the Greasemonkey vulnerability isn't Firefox's fault -- the Mozilla Foundation does little to control the development of browser extensions -- it's the third public black eye for the popular browser in a matter of days.

Last week, the group announced that its SpreadFirefox marketing site had been hacked and members' information possibly compromised. This week, it noted that Firefox 1.0.5 had broken several extensions, forcing another update Tuesday to 1.0.6.

Greasemonkey 0.3.5 can be downloaded from the addon.mozilla.org Web site.

E-mail This Story
Print This Story
Reprint This Story




Get the latest Personal Tech news, product info, and trends every week.


Related Content

  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Blog RSS Feed



Keeping Up To Date On Enterprise Server Tech?
Review our compilation of columns on server security, database software, and Linux issues.
How to Achieve High Performance Through IT
Learn to achieve high performance by aligning IT to
strategic objectives and solutions to unlock that value.
Using Current Performance to Shape
Future Results

Hear new strategies for improving business
performance and results.

Editor's Picks

Well, Microsoft has "unfolded" its "Origami" ultra-mobile PC platform Thursday. It turned out to be a full-featured PC smaller than a tablet but bigger than a PDA. Are you impressed?
Yes! I want one!
Sort of. We'll see.
No! It's too big for a pocket and too small for real computing. What's the point?


In search of personal tech products? See our new Product Finder, where you'll find personal computing devices, communications solutions, security products, and more.



PERSONAL TECH PIPELINE MARKETPLACE (sponsored links)
Trend Micro Enterprise Anti-Spyware Solutions
"Trend Micro is delivering what enterprise customers want." -The Forrester WAVE/Enterprise Anti-Spyware, Q1 2006/Forrester 2006. Download a FREE 30-day trial of Trend Micro Anti-Spyware Solutions for Enterprise Today.

Prevent Information Leaks from your Network
With GTB Inspector Appliance. Free Trial (March 2006 only). GTB Inspector is a hardware appliance. It is installed easily and transparently on the network edge and prevents leaks of confidential information to the Internet.

Cost-Effectively Secure Sensitive Data
Encrypting data in servers and databases can address security gaps and privacy legislation. Ingrian DataSecure Platforms offer granular encryption, seamless integration, and centralized security management. Combat data theft--with unprecedented ease and cost effectiveness. Download a white paper that outlines best practices for securing data.

Symantec Backup Solutions
Desktop to Data Center Protection. Explore the Official Symantec Site.

SEC & HIPAA IM Compliance
Satisfy regulatory and compliance requirements for instant messaging.


Buy a Link Now


Top ten search terms from the TechWeb TechEncyclopedia
How does your pay rate? Check the InformationWeek Salary Survey
Mobilized Solutions Guide: Find and compare solutions for your business
Top Requested White Paper Categories from TechWeb White paper Library
Top ten search terms from the TechWeb TechEncyclopedia