Slashdot Mirror
Firefox Greasemonkey Extension Security Problem
Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"
It's about time people start writing some exploits for firefox!
http://www.dreamsyssoft.com
Quick, lets band together with a magician and a warrior and stomp those bow&arrow shootin mofos before they take over the internet!
Damn Microsoft! No doubt this can be traced to a Bill Gates directed consipracy against rebel browsers.
The only PT Boat Journal on the web: http://www.PT171.org
are going to produce some vulnerabilities along with the gee-whiz plugins of the moment. That's pretty spectacular, though.
Don't disappoint your bird dog. Go to the range.
Just more ammo for the mega-powers to say, "See, when it becomes mainstream, it becomes more insecure. Come back to windows."
Marvelous.
Luke
----
Be smart. Teach others. ChristianNerds.com
"Time to uninstall GM?"
Why not just do what the article says and "Install Greasemonkey 0.3.5"
My lame blog.
The firefox guys should have realized that extensions are a HUGE security threat, possibly even worse than anything that's come out of IE. What they should have done is setup some permissions from the first place, so that you can allow or prevent extensions from performing sensitive operations. Something similar to the Java security model would have been good enough
According to Firefox extensions site, you need to "uninstall or upgrade now." The post is from today.
Falun Dafa is good!
Time to try out Opera's User JavaScript.
Opera Watch - An Opera browser blog.
If you build an engine that allows you to write scripts that modify any page you view, there are obviously serious security flaws.
Allowing scripts to open files and send them elsewhere is especially bad, but there was a huge security concern to me either way. I like the concept of GreaseMonkey, but choose not to install it.
/. ++
This jsut goes to show the Microsoft isn't the only company who writes insecure software. I seriously doubt any company can write 100% secure software, so I base my judgement on if they can quickly fix holes that are found and learn from their mistakes.
Voice your opinion!
Here are some more details from the posting thread, which explains why the exploit is so bad...
This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer.
f ile-leak.html
returns the contents of c:\boot.ini, which exists on most modern
Windows systems.
http://diveintogreasemonkey.org/experiments/local
But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)
In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.
The above information posted originally by Mark Pilgrim
A severe security issue has been discovered in Greasemonkey versions prior to 0.3.5 as well as the early 0.4 alphas which some people may have installed.
Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately.
More information on Greaseblog.
Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction.
For example, you could:
Make sure that all URLs displayed in the browser are clickable links Improve the usability of a site you frequent Route around common and annoying website bugs Use the Coral content network selectively.
Getting started:
Install Greasemonkey 0.3.5. Learn how to use Greasemonkey. Find useful scripts.
Greasemonkey was heavily inspired by Adrian Holovaty's site-specific extension for All Music Guide and the conversation which ensued after he published it. There were tons of sites I wanted to create SSE's for, but fully-fledged firefox extensions proved too cumbersome. I wanted it to be as easy to create an SSE as it is to write DHTML.
The current maintainers are Aaron Boodman and Jeremy Dunck with the invaluable help of an awesome community of user script enthusiasts.
For questions or comments about greasemonkey, please send a message to the greasemonkey mailing list. Copyright © 2000-2005. All rights reserved. Terms of Use & Privacy Policy.
Notice hoe they avoid explaining the problem/solution. They just want you to see these new exciting features, and download it now!
Time is comparison of movement to other movement.
From the Thread.
This is why God invented the tag.
Finally a good reason to use it!
-Pizentios
We can blame God for all kinds of things like hurricanes and Godzilla but it's a safe bet that we brought THAT scourge upon ourselves.
EvilCON - Made Famous by
Is this a Windows only feature, or do us linux users get to enjoy it also?
GETPKG - Package Management for Slackware
Personally, someone could read my entire hard drive and it wouldn't bother me much. I don't keep sensitive information on my computer, because any computer connected to the internet should be considered insecure.
what sig?
Although the "average user" won't be using the various plugins, Microsoft will still point to this as one more reason to say that FireFox isn't secure. Sure, FireFox has it's bugs. We need to get fixing them.
I'm not saying that FireFox is perfect. Obviously, it's not, and this article is a case in point. It's still the browser I use. For me, this is a warning to fix things or wait for them to stable up (oh yeah -- that mindset shown, I am a Debian user). But just like we use any little IE thing to say "See, IE is junk," this'll get used too.
*sigh* The joys of conflict.
Luke
----
Smarten up your stupider-than-you coworkers, send them to ChristianNerds.com
It's open source so millions of eyes have studied it to make sure it's secure...
looks like mozilla update is down !!
ahh ahh!!
every thing said and done... all softwares are as buggy if not worse than microsoft products
Would anyone have that info to post?? Thanx
Wait, What?
Firefox burns greasemonkey cuz it's made of fat But Seamonkey beats firefox because it extinguishes the fire. Then Greasemonkey beats seamonkey because it can float in water AND walk on land. my 2.56 cents
\u262D = \u5350
Oh, wait I don't browse as root already!
Guess it can't access "all" the files on my system then, can it?
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
I use Greasemonkey in conjunction with NoScript - an extension which prevents any site from using Javascript unless it is added to the whitelist maintained in the extension.
To run a Greasemonkey script on a page you have to allow that domain or subdomain in NoScript. This prevents Greasemonkey being used on a rogue page as I wouldn't use a script on an uber-dodgy site anyway!.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
(MAN) Sirs, I am in dire need of a web-browser! The one thus furnished to me by Mr. Gates of Redmond is rickety and unsafe, and prone to inviting the most deadly of spy-ware into my parlor!
(MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
(MAN) Why then I shall have one immediately!
(LATER)
(RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
(MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.
(LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)
(MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!
Precious mod points? Make sensible contributions, and you'll get more mod points, though what someone with no clue what to do with an apostrophe will do with mod points I do not know. Troll. And no, today I have no mod points. Goodbye.
Never send a Monkey to do a Gorilla's job or at least give him double the bananas. That's what I always say.
mcwidget.
Calm down? What that means is people will be alerted by the Mozilla update feature that an update is available. They can still not update. But this is a GOOD THING since not everyone who uses GM reads slashdot or the GM web site!
I mean the number of people that leave their administrator account still called administrator and with either a blank password or just "password" you don't need obscure exploits to get sensitive data of most people's computers.
you're an idiot.
It should be up to the individuals to decide if they want to make such significant mods to their system as purposefully crippling software.
You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the icon?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
"It's not a bug it's a feature" are quite likely words never actually spoken by any representive of Microsoft.
However there is a reason for this attatude.
Bug that makes it possable to run code on remote users box:
Users say "Oh no bug bug. Get rid of it"
Develupers say "Ohh feature feature keep it, expand it"
Security experts say "Bug"
If the develupers provide a strong enough argument the "bug" is classified as a feature and remains.
I don't actually exist.
StudyING it (it takes time) and they HAVE found it is not secure, just like the millions of eyes are supposed to do.
One of them is bound to notice, eh?
So it works! Sweet!
Sam
blog.sam.liddicott.com
There's a proper way to handle exploits. Disabling a piece of software under the guise of an "update" wasn't the way to do it.
Under the "Tools" menu in firefox there should be an "Extensions" menu item. It will pull up a list of the extensions you have installed. You can choose Greasemonkey from that list and hit the "uninstall" or "update" buttons.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Isn't this a huge hole in firefox as a whole? What is to stop extensions from being added to my browser that open it up to malicious content? Isn't this the same as the problems that IE has? IE is fine until you start allowing plug-ins, add-ons and scripts. What is to stop a script from running that adds in malicious extensions or plugins to firefox? Turn off the feature? I can do that in IE too? Am I missing something here or isFirefox no more secure that Firefox?
No matter how secure the core Firefox code is, it is all meaningless with the current extensions model. With the current model (or lack of one) a malicious (or plain buggy) extension can turn Firefox into a bigger threat than IE.
From my understanding, Firefox extensions aren't restricted from doing I/O or listening on sockets/etc. What's to prevent somebody from writing a seemingly harmless extension which silently dumps all activity logs or other information to an outside listener?
A Java type sandbox model, while a reasonable analogy would IMHO be overly restrictive for extensions, which need to be more closely tied into Firefox than most Java applets need to be to do all the cool things that they currently do (eg: the Tabbrowser Extension) .
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Isn't XMLHTTPRequest only supposed to work within a single domain (e.g. I can't send any requests from one of my servers to one of my blogs)? If so then why has this become a problem? And why some developers have disabled some security measures built in by other developers into the object?
./R My blog
No one is forcing you to update. If you see an upgrade is available for Greasemonkey on your Firefox updates list, it's your responsibility to go see what was changed before installing.
LordBodak's journal.
They're beyond recovery at this point since everyone wants all the kewl extension stuff and there are an endless supply of idiots who think they can just patch pass a fundemental flaw in security. Yes you want a secure sandbox but it won't be possible at this point. You need to drop back to a more secure point of defence. It won't be the OS, not if windows is any indication of lack of security. It would have to be something at the hardware or virtual hardware level. So a dedicated browser machine running in a dmz or on a virtual machine without access to any sensitive files or resources. I'm not too familiar with VMWare but the mainframe vm's were all about security.
It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest.
Only if the browser has all the rights, which is a very dumb thing to do no matter the platform.
On my main Un*x box, Firefox was installed in a normal user account (using the
I'm pretty sure that Firefox/GM installed in a non-privileged user account under Win2000/XP doesn't allow to access any file from the hard disk either.
I'm not trying to defend poor coding/security practice made by people who certainly should know better, but it's simply misinformation to say that access to the files accessible from a user account is equivalent to "all the files on the harddisk".
From http://greasemonkey.mozdev.org/changes/0.3.5.html:
"Note that this Greasemonkey disables all GM* APIs, which means that it will break many user scripts. This is a temporary measure for people who want to continue using Greasemonkey without those features. A future version will re-enable the APIs."
This is one of the reasons that I avoid FF. It's pretty minimal out of the box. Plugins from everywhere are promoted as what really makes it sing, but to me this seems to add a big risk. Yeah, open source, thousands of eyeballs, yadda, yadda, but how many people seriously have time or skills to review all the code for themselves and why should I trust that some strangers have done a good (or any) review on my behalf? Too risky - I'll stick with Opera, thanks.
In 1986 I wrote a Commodore 64 terminal program that allowed BBS' to download and run bits of assembly code onto the user's machine in order to enhance the user's experience. It took about 48 hours before someon posted a message that executed a jump to address 64738 -- system reset.
Bad idea then. Worse idea now, no matter how much supposed security you surround it with.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I admit that I haven't yet tried out GreaseMonkey, but when I look at the exploit code it raises one really big question. Why isn't there some way to prevent non-user script from accessing the GreaseMonkey objects? Wouldn't this allow the user to retain all the ability they have now while rendering scripts from malicious sites harmless? Seeing as how GM is meant to be a means for the user to use scripts to modify pages, it seems very odd that anything outside of user script would be able to access its functionality.
I realize it's likely due to the nature of Firefox's JS interpreter, but if this sort of separation isn't viable could someone enlighten me as to why?
In the future, all spacecraft will be made of cheese.
http://www.usdoj.gov/criminal/cybercrime/1030NEW.h tm
Computers connected to the internet are "protected computers" under the statute. Crippling the software under the guise of an "update" is illegal.You know, that mod probably won't see your post, since you start out at -1. LOL.
Why would you say that a sandbox model is overly restrictive? The Java sandbox model has many routes out; it means that you can specify what permissions an application has, not forbid all of them. The Java model comes with nearly all permissions set to "no", but they can be opened.
That said, I haven't seen a really good way to manage permissions. It's just not practical for an applet to say, "In order to run this, you need these 47 permissions" and expect you to fix that. With cleverness the modeler could create roles with aggregates of permissions, so that you can say, "This app needs access to your browser UI" (like Tabbrowser).
Still, that's asking the user to make a lot of security judgments based on trust. Some extensions/applets/ActiveX should be allowed to modify your hard disk; most shouldn't. How can the user tell?
It's a hard problem, one that I don't have a good answer to. I know Microsoft's solution (based purely on a yes/no trust decision) sucks. But I'd say the problem isn't the over-restrictiveness of the sandbox, but the difficulty of asking the user to manage his/her sandbox well.
Don't add grease(monkey) to fire(fox).
so you don't browse as root. on most linux setups, that means you can't read other user's directories (do you really have lots of sensitive files lying around in /root?). truth is, web servers shouldn't be able to read files on your computer unless you specify exactly what to read (uploads are the only thing i can think of)--if this greasemonkey thing isn't a security flaw, i don't know what is.
on the plus side, it seems to me that it wouldn't be too hard to run mozilla under a very restricted user, who can basically write to a downloads directory and read from a preferences directory. that pretty much eliminates any problems to be had. seems like a pretty big end-all solution to me.
Everyone knows that non-Microsoft software has no security flaws. I blame Bill. Shame on you Microsoft!
It's about transparency and trust. If you can't see that, they you are just as blind as the developers who pulled this stunt.
Its also illegal.
The answer is: you. If you have half a brain you won't install extensions you know nothing about from sources you just met. Even if you would, Firefox would prevent you until you white-list the site. In IE, the stuff not only comes with the browser, but it's integrated into the browser and cannot be removed (activex, security holes, etc)
Or a possible terrorist attack ? Ohwait...
Even if you give an extention a new major version number it is still an "update" as far as Firefox is concerened. There isn't any way of calling it anything else.
As for trust, if they didn't plug a sersious vulnerability I think they would lose more.
Does 3.5 "totally cripple" GM? The article and this thread haven't been very clear.
How is clicking on the "Upgrade" button not authorization? How is a change in the program that the user authorized "causing damage"?
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
In what will surely be flamed or moderated down..... Mozilla(Firefox, etc) is reaching the point where competing with Microsoft becomes hard/more fair to microsoft. Their install base has grown past the "anti-microsoft-for-the-sake-of-anti-microsoft" people and now it has become a target that actually is large enough to aim at. Some estimates have Mozilla market share as high as 25%. This means that there are now people actively searching for security holes, as well as problems with updating the install base, for fear of obsoleting plugins and extentions. It will be interesting to see what happens as Mozilla foundation naturally looses momentum as they try to re-wage the browser wars. -- Posted from Mozilla 1.7.8
Intentionally causing damage is illegal, turning something off becuase it is a big security hole? I don't think that fits cleanly under "intentionally causing damage".
You can make an argument for it being "damage", but it doesn't seem nearly as cut and dried as you make it out when you say "this is illegal".
When you have a problem, its best to be as open and aboveboard as possible. Tylenol was a good example of this when that guy started putting poison in their pills. More recently, ditto Wendys and the finger.
What they're doing (posting crippleware as an "update") is more like giving everyone the finger.
While some kind of "security" layer sounds nice, I'd like to know what you suggest, specifically. A popup box saying "this site is requesting permission to read file X"? User clicks ok, every time, and they quit looking at it after a while. Then you wrote this:
There's really no way an extension to a Firefox app could get the penetration that IE had. Maybe AdBlock could get to 95% of the Firefox base, so if Firefox had 95% of the market, it could have the kind of numbers IE had in its heyday. Those are a couple of really big ifs, so I don't think your "worse than anything that's come out of IE" is at all justified. I'm not trying to hide behind obscurity, but just saying that your hyperbole is misplaced.
How many IE users have been hit by spyware? 40%, 50%, something like that? Come on.
sigs, as if you care.
---
Light is filtering down from above. Would you like to use DIVE?
Generated by SlashdotRndSig via GreaseMonkey
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
the important phrase in the statute is 'causes damage'. The update doesn't completely cripple the software, it just removes some functions that could potentially cause a great deal of damage. I wouldn't say that qualified as damage. The statute is clearly aimed at people that deliberately spread viruses and the like.
Its misleading the way it was done. The user thinks they're getting an upgrade or bug fix, when in fact they're losing functionality.
If its wrong for spammers to be dishonest to end users, its also wrong for developers. Good intentions are no excuse.
There are security holes in the software you use. ----- Period
You don't have the legal right to cripple software on another person's computer w/o their informed consent. This is unauthorized access. That's the law. Work within it:
heck is with all these posts saying, in essence, "as firefox gains marketshare, more exploits will be written for it"? Granted, that is very true but the exploit in question is for an extension and not the browser itself. Who actually uses the extension anyway?
Mod parent stupid. His "insigtfull" comment is based on a misunderstanding and leads people to think that firefox automatically updates extentions(with it doesn't).
PLEASE, don't tell the press that my wife is a spy.
Internet Explorer is way more secure and reliable. I went to a porno site yesterday and a pop-up asked me if I'd like to learn how to increase my penis size! How'd they know?!!! They must be reading my mind!
The next day, IE automatically took me to that site when I opened it up! In fact this page showed me a list of other sites I might like to visit like explicit hentai, rape videos, and scat! It was as if me and my browser mind-melded!
I like that when I was asked to pay for the penis-enhancing pills that I was redirected to site 135.34.65.256 instead of having enlargeyourlittlemember.com in my history list (wanna surprise the wife..)
It's been three months and I haven't got my pills yet. I think the postman is swiping them. (always wondered how he could steer his mail jeep and hand out mail at the same time.)
Where was I? Oh yeah, Firefox is a more secure browser, just don't use monkey grease.
I'm sure he'll have it fixed soon.
g reasemonkey-update.html
http://greaseblog.blogspot.com/2005/07/mandatory-
It only makes sense that Greasemonkey would provide a rich medium for exploits. However, let's not throw out the baby with bathwater with reactionism. This is an obstacle / opportunity to help Greasemonkey to evolve, perhaps to Grease-Neanderthal. I would like to add, once again Lynx proves itself the uber-browser.
One ring to bind them - should probably have more fiber and less rings in their diet.
First of all, the problem with GM is not with malicious user scripts, or at least that's only as much of a problem as malicious extensions, and user scripts may even be less so so they are easier to read.
The problem lies in the interaction between certain API's and the DOM. They aren't seperated, and a malicious page can use the API's to execute remove commands, including accessing local files.
That seems like a big problem, until you realize, as the people working on this do, that a malicious webpage must be in the included list to utilize this exploit.
In other words, site specific user scripts, what GM was designed to impliment, are only vulnerable if that site passes malicious javascript.
Non-site specific user scripts, like Linkify, are the issue. They can easily be disabled in Tools>Manage User Scripts. They can generally be identified because they have a "*" or other general includes instead of a specific site url.
Don't believe me? test it yourself, here, with the example exploit. If all you see is a blank page, then congratulations your GM is probably still secure.
http://www.santacruzbynight.com/index.shtml Santa Cruz By Night Vampire Larp
No matter how you try, client-side JavaScript will never be secure.
Interestingly enough, IE's equivalent, Turnabout doesn't seem to have this bug.
Gator and Weatherbug are not illegal, sadly - the EULA as justification for inclusion has been upheld. The user is in fact getting a bug fix - the bug that allowed for a major security breach is being removed. You may not like that bug fix, but sucks to be you. GM is not disabled by this update and many scripts will continue to run. Insecure scripts will not.
1. Open a new tab .xpi link onto the new tab
:)
2. Drag and drop the
3. Profit!!!!
Bypasses the whitelist every time, not that I'd advise getting into that habit
Laugh it up, funny boy. This is a prime example of why open source software can't be trusted on government computers until there's a reasonably centralized organization heading up the whole thing.
First of all, there's lots of transparency in the code, but no accountability in the coders. If somebody exploits some random firefox hole and nukes a town with our own weapons, was it worthwhile just to push some silly philosophy?
Second, you can't trust the government to upgrade its systems because, for the most part, it's full of incompetents and generally doesn't pay well enough to hire anything better from the private sector contractors it digs into. I mean, granted, this GM update will (stupidly) force an install on your computer (gleefully breaking all sorts of things in the process), but most software devs are responsible enough not to do that, and won't.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Huh?
Calling it an update, when in actual fact its not
I assure you, every user in the world who is not insane considers "removes a vulnerability that potentially allows any website to read your hard drive" an "update".
I also assure you that if you want to engender trust among your users, removing as immediately as possible bits that would allow any website to read your hard drive is the way to do it.
If upgrades that incidentally break features are illegal, then every single software company in the world would be in jail by now. The legal reference you are vomiting all over this comment tree has nothing whatsoever to do with what WebMonkey did today, it concerns something different.
If you're so incredibly upset that a point release of a minor third-party extension for a minority web browser broke something minor in the process of fixing a truly huge and dangerous broken aspect of the previous point release, then the thing to do would be re-install the previous point release, not come make 30 posts whining about it on slashdot.
the update mechanism is different under linux
I have not used the firefox extention functionality under linux, but the documentation indicates you are flat out wrong here.
In any case, if you wish to turn off the automatic update notify feature for extensions, instructions on how to do so can be found here.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
For example, I didn't bother upgrading from firefox 0.8 when everyone was worried about the image bug. I looked at it, decided that my risk was precisely zero, based on my browsing patterns, existing security measures, etc., and stayed with 0.8 until I upgraded my distro. That is my choice.
Not every potential exploit has to be fixed RSN in every situation (even Linus agrees on that).
They're called personal computers for a reason - what I put on them is mine. Tell me what is wrong, and let me be the judge as to whether I patch or not. Don't try to cripple stuff under guise of "patching". Maybe I have a different work-around, or I have other precautions in place, or I've balanced the risk/benefit ratio and determined that removing the functionality is more damaging in the heare-and-now than some potential damage that might happen in the future.
F/LOSS is based on trust. This was NOT the way to go about engendering more trust.
And even if there was, you are NEVER forced to install the update. If you want to keep using the old one, go ahead.
LordBodak's journal.
Peace! Make Love, Not War! Free Love and Hard Drives!
It is up to the individual, once the software has been installed on their computer, to decide whether they want to disable potentially insecure features. The original author has absolutely zero rights to try to take such an action "under the radar," and the courts have taken this position time and again.
the people using greasemonkey aren't your average users - they're (hopefully) not complete n00bs. They should be able to decide, on an individual basis, whether the perceived benefits are greater than the potential risks.
I'm gonna get troll rated for this, but whatever.
So basically... Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.
Yeah, yeah.. It's Greasemonkey... it's some stupid add-in piece that you have to explicitly install.
But that's also the way most spyware get's on IE. People get prompted "Please download and install this, and make sure you say 'Yes' when prompted is that ok?"
and people do it...
why? Because they are promised free porn, free poker, free music, or a free trip to Nigeria to collect their $10 million.
Welcome to the real world!
Mods on crack again. Fuck you all. People with mod point should mod up tomhudson's original post as insightful. To anyone who modded the post incorrectly, I piss on you. To anyone who incorrectly mods me, I spit on your grave. A pox on all of you who abuse mod points.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Even Microsoft is smart enough not to try this sort of shit.
Laugh it up, funny boy. This is a prime example of why open source software can't be trusted on government computers until there's a reasonably centralized organization heading up the whole thing.
Yeah, what the heck are they thinking? They should just leave the vurnability hidden and leave your computer to infest with spyware, which could have done anything since they pretty much install their own excutable on demand if they wanted to, like the "default" browser are doing!
First of all, there's lots of transparency in the code, but no accountability in the coders. If somebody exploits some random firefox hole and nukes a town with our own weapons, was it worthwhile just to push some silly philosophy?
Yeah, with this type of transparency, finding problem before some hacker discover it on their own is MILLION to one I tell you what!
Second, you can't trust the government to upgrade its systems because, for the most part, it's full of incompetents and generally doesn't pay well enough to hire anything better from the private sector contractors it digs into. I mean, granted, this GM update will (stupidly) force an install on your computer (gleefully breaking all sorts of things in the process), but most software devs are responsible enough not to do that, and won't.
That is right, a automatic update are proven to break everything, and it is a greater risk then just leaving the vurnability there cause no one can fix it right, since everyone have equal access to the source code. They all have equal chance if fixing it themselve if they wanted to. According to the average programing skill in the public, the number is dishearteningly low!
Seriously, I think they did what they want. When you install something on your computer, you should be responible for the outcome and do your research, especially when installing in corp offices and other critical use. This type of things happened with just about anything. According to your logic, we should just go back to pencil and paper cause no one can hack them without phyhically steal your stuff.
The person thinks they're getting an update, rather than being informed, as required by LAW, that the "update" decreases functionality.
If you have an issue with this, take it up with your local congresscritter - but remember, if you allow F/LOSS developers to unilaterally sneak in degredations without informed user consent, then you also have to allow Microsoft the same liberty. Do you REALLY want that legislated into law?
The current situation, which requires disclosure and informed consent, is the best we've come up with to date.
It's not that minimal, really. And if you stick to extensions from mozdev.org then there's an auditing body for you, as well. Most of the useful extensions are high profile, anyway, and so they are screened by more people, because you only really need a few to actually make Firefox significantly slicker (Adblock, Bugmenot, Web developer, some kind of Tab extension)
im in ur
Maybe you shouldn't be telling people whats illegal and whats not, then.
Acceptance requires that you have been informed as to what you are accepting. Your argument would allow for all trojans that people click on to be considered "acceptance" - after all, they clicked on "AnnaKorina.jpg.exe" ...
This is, in fact, generally what the courts have decided. Spyware bundling is *legal*. Not that has any bearing whatsoever on the Greasemonkey update, because you'd have to prove your position that increased security is "damaging".
. The original author has absolutely zero rights to try to take such an action "under the radar," and the courts have taken this position time and again.
The courts have done no such thing. In fact, they have done the opposite, in far more underhanded situations - such as Claria. Your argument, in fact, would demand that *any* update would have to be a 100% superset featurewise (and who decides exactly what a "feature" is, anyway - immunity to an enourmously dangerous exploit is a feature in my book), or else it would be "illegal".
Would it be nice if the Firefox update feature included a mechanism for showing a changelog or whatever? Yes it would. Maybe you should go file an RFE. Getting your panties in a bunch and screaming all over Slashdot about how it's illegal and damaging the computer is you blowing a load of stupid crap.
Moderators please be aware. If you look at The parent poster's slashdot journal you will find that in the last two entries he (1) announces a "troll tuesday" dedicated to posting trolls and (2) directly links his post here today, with the header "flamewar!".
It seems fairly clear, based on his journal entries in which he expresses an intent to troll and then links this post; and the nonsensical and extreme viewpoint expressed in the parent post, and the bait-and-switch method by which he argues one thing in the top-level post then switches to something entirely different in the replies; that "tomhudson" is purposefully trolling, then using his journal to show off his post to the troll community to gather support and possibly upmods.
Please react accordingly.
This is one of the reasons that I avoid FF. It's pretty minimal out of the box.
Pretty minimal? WTF are you smoking? Firefox does everything for me right out of the box that I could ever ask it to do. I have installed it (total time including download less then a minute in most costs) on machines all over the place in lieu of using IE. I never have to download any extensions or plugins for it.
In fact the only plugin that I have installed on FF at home is Macromedia Flash. Other then that it comes with everything I need.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
By the way, "Greasemonkey Hacks" is DEAD until we fix this. And I'm
posting a big red blinking warning on every page of
diveintogreasemonkey.org advising visitors to uninstall it, until all
of these security holes are closed. This is why God invented the
<blink> tag.
And I just realized I changed my sig from the old anti-<blink> one. Poo.
I hate grammar Nazi's.
Not to feed the troll, but...
Firefox requires you to explicitly install extensions. Not only must you click install, it makes you read the install dialog (the "Install" button is greyed out for a period after the window pops up). Oh, and it needs to be a trusted site too.
Most spyware gets into IE by exploiting bugs so that you never see the install.
This is largely because of IE's marketing game. At some point, the web browser threatened the traditional application space. Put less kindly, all of those VB monkeys (not to be confused with programmers) would lose their jobs because of those darned web page thingies.
Microsoft threw the web people a curve ball with IE. They attacked open standards with their negligence, gave the VB monkeys a mechanism to spread their pox on the world (ActiveX), and created a new, exciting way to be tied to Microsoft (ActiveX and IE in general).
Before Microsoft, 9 out of 10 people weren't clever enough to "develop software". Of course, they aren't now either, but they can make it look decent enough. It's no wonder that people trying to make real progress have to deal with this kind of overgeneralized tripe.
More to the point, any web browser needs a plugin architecture to be extensible. All of your assertions above blithely assume this is not your problem. Regardless, the only way to allow:
a) Extensibility
and
b) Security
is to allow the user to provide the security layer. People miss this, but there is no way (and likely will never be any way) to have a computer recognize what is malicious. At some point, the user will always have to make the choice to install something that fundamentally changes the computer. At that point, there will always be this problem.
The catch is, IE often will allow installations without so much as a prompt. This is the problem. So, actually, IE *DOES* install bad code. It often does so because IE contains broken code itself.
In this case, Firefox functioned within the security model and the use instructed it to install code which was broken. That was the problem. Worlds of difference here. This is a GreaseMonkey problem, pure and simple.
Put another way, remove GreaseMonkey from the equation and there ceases to be a problem. Well, unless you continue to maintain that a browser (or any software) should magically infer intent, in which case I have some snake oil to sell you--assuming Microsoft has left you with any money.
I think Mauve has the most RAM. --PHB (Dilbert Comic)
Parent is absolutely correct. Of course, it will be ground into "-1, flamebait" dust in about 10 minutes.
Denial is always the proper approach when dealing with liberals.
Forget the legality for a moment - do you really want to give a third party the right to unilaterally decide that an update should intentionally bork existing functionality on your box, without first telling you that its going to do this, and then giving you the opportunity to refuse>
Passing this off as an "update" is just wrong.
"Those Mozilla Society rapscallions! I'll give them what for!"
Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.
Not quite.
The big problem with IE is not just that it has a plug-in mechanism, but it has a plug-in mechanism that's based on the HTML control (the actual browser component) assigning the right to install plugins to an object (the web page) based on an ad-hoc security model that's based on the location the object is believed to originate. Certificates, security dialogs, and so on... these are layered on top of this, but basically the HTML control is responsible for figuring out if a "dangerous" action should be allowed with no more than hints from the calling applications, and a jargon-filled dialog box that the user has to decide on RIGHT AWAY.
I get calls from my users all the time that are variants on "this dialog box came up and I hit 'yes' without thinking".
So... the control is pervasive, it's used by lots of applications, the API can't be significantly changed without creating a mass upgrade day for every app that uses it, responsibility is placed in the wrong place, and the user interaction encourages mistakes.
Firefox's extension mechanism has a similar problem with its installer, but:
The extension installation mechanism is part of Firefox, not the Gecko HTML display object, so applications using gecko aren't automatically exposed as well.
The Firefox extension API does not depend on the installer's behaviour, it's possible for Firefox to switch to a more secure download-and-install design without breaking any applications.
The user interaction requires three separate steps, and there's no path through those steps that simply answering "yes" by reflex will result in the extension being installed.
In addition, in Windows, there have been a number of attacks that involved tricking the HTML control into thinking that a remotely downloaded object was local... or even already installed. This approach is not possible in Firefox because instead of allowing plugins to run from anywhere except the places it thinks are dangerous, it doesn't allow plugins to run from anywhere except a specific directory that's got a randomly generated name in its path so it can't be targeted by a download.
I would still recommend using a shell other than Firefox around a Gecko- or KHTML- based browser. I use Camino (Gecko) and Safari (KHTML) on Mac OS X, but I'm sure there are equivalents to these for Windows. But regardless, the exposure from using Firefox is so far less than using IE that if Firefox and IE are your only choices... use Firefox.
I do not recommend using the Netscape browser, because of the way it allows the use of either Gecko or the Microsoft HTML control.
I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.
.mozilla (Linux) My Documents (Windows)
/home/$USER on my machine is (700 or rwx------) which prevents /home/$USER/.mozilla/firefox/* from being displayed (and just to be safe all things ~/.mozilla/* should be 700)
/etc folder (Linux's folder for configuration) because a lot of it is owned by root with 700 or 770 permissions. So that leaves for the most part things that a hacker could have already found out if they had just used nmap on my system. Same goes for Windows.
Because someone has discovered this problem, one can now fix the problem. That is the whole idea of Open Source and all that rot. If anyone would love to submit a patch for Windows 95 to make it run longer than 52.5 days, I'm waiting. It's a known problem, why isn't it fixed? Well because someone, somewhere said they weren't going to fix Windows 95 because it's too old. Which this is the case a lot in closed source. you know there is a bug and you'd like something to be done about it, but nothing will be done unless MS sees that a patch for the software is a cost justified.
Also aside from the fact that this is an extension of Firefox, I know it's just as bad as if the package was faulty. Up till today I had never heard of this extension. So I'm not sure as to how widespread this problem is, but I'm guessing that good chunck of all Firefox users do not have GM.
To top it all off, the writers of GM have issued a fix for their extension by means of version 3.5. Yes I know it breaks API compatibilty, which sounds like something MS would do, but just like what the Mozilla team did with IDN, they turned IDNs off until they could make a good way of handling them. Which the Mozilla team came up with a fix in a fairly decent amount of time. I find it highly possible that this peice of software will do likewise. As opposed to MS breaking things with SP2 and then telling all of the vendors to just get over it, (which I will agree that only a small amount, twenty or so, of vendors got 'left behind', so not horrible, just bad.)
Now secondly, from the story, GM only returns results of files that are world readable (aka the Everyone group if you are a Windows person). Now, I'm not sure how everyone has their system setup so this could all vary from one person to another.
In Linux my home directory (the one with all my private stuff) is only owner read, write, traversable (700 or rwx------).
If I remember correctly, in Windows the C: (root) drive's premissions for the Everyone group is.
-Traverse/Execute
-List Folder/Read
-Read Attributes
-Read Permissions
(I may have missed a few because I don't have a Windows machine handy)
At no part is write premission granted to Everyone.
Therefore, your OS is mostly secure to protect you from getting some form of malware on your system.
However, this does allow someone to read data from your system if, and this is the big if, you set your private stuff as world readable (aka readable by the Everyone group.)
Which as far as I know all of your cookies and history is stored somewhere in
Which as stated previously
Now if I correctly remember for Windows, My Documents, does not even have an entry for the Everyone group to do jack crap with. I know, gasp , Windows Permissions actually working for the user?!
So this leaves the would be hacker mostly your system configuration (and not even the good parts) left open to be read. I know they can't read a bunch of my
I mean really, what good does it do one to only be able to read the boot.ini file??? "Ok, now I know you have two installs of Windows, or you use the Windows bootloader to load Linux for you (or what not.)" It's not like they can change it, only read it.
This problem isn't a very high security threat if you have some wits about you, but it is a problem indeed and it needs to be fixed. However, this problem is being hyped up as if this was allowing world write access to your system, which is just not the case.
The problem is that the user code becomes part of the page, so they are in the same security context, but we could require the GM functions to require a hash to be passed, this hash would be generated for each machine, so, code coming from the net would not know the hash and would be unable to access the functions, but code coming from the user would have the correct hash, and so would be executed ...
WTF am I doing replying to an AC at 5 A.M on a Friday night?
..that Mozilla is having lots of problems lately..
U need flash?
Just because it CAN be done, doesn't mean it should!
In fact, they should remove the old releases, and if they had a way to force users to upgrade, they should have used it. (Although, thankfully, they don't have that option, because that could be used for malicious purposes.)
And what the hell are you talking about, them not being open? Go and read about it if you want know about it. It's very clearly explained what's going on.
Of course, by your analogy, Tylenol shouldn't have removed its products from the shelves until a new shipment arrived. Some people might have been willing to take the risks, because they had a really bad headache, and heaven forbid Tylenol not allow people to harm themselves using Tylenol's products.
I find it astonishing that anyone can even pretend to complain about this updating automatically. I was about to complain about the fact it apparently wasn't, at least not before I removed it.
Instead of a 'foes' list, I think we need a 'stupid morons' list.
If corporations are people, aren't stockholders guilty of slavery?
I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.
I've been arguing that the Firefox XPI model needs to be re-evaluated from a security standpoint for some time now.
1. Installing XPIs should not be initiated from a web page. They should be downloaded and manually installed, like any other application or application plug-in. This would allow any attacks that involve using the installer for privilege escalation to be eliminated.
2. Expanded rights should not be granted to any javascript that has not been explicitly installed.
3. As a corollary to this, any method that leads to an eval should, when run from a script that's part of chrome, unconditionally revoke those rights. A new method that explicitly evals code with greater rights with a name that makes it clear that it's dangerous can be added if it's actually necessary.
They purposefully broke nmap et al, by their own admission.
I am trolling
Seems like the problem is fairly obvious. Executable code is sometimes malicious. That's kind of just part of the whole "General purpose" computing thing. The same thing goes for any executable on any system.
And the solution is hte same: don't use executables (scripts) from dodgy sources. And since greasemonkey scripts are by definition open source (little 'o'), and usually not very long, it's trivial check for flaws or exploits. If not yourself, some white hat out there will do it.
So in other words, business as usual.
Stupid like a fox!
Why? Because I can't believe that anyone would be STUPID enough to try to "fix" a potential exploit in such a dumb-as way. And that, when I called "bullshit" on it, I immediately got dumped on by a bunch of syncopating knee-jerk "open source devs can do no wrong" posters who don't want us to operate to the same standards as closed-source devs? Yeah, its a flame war, all right, but its not trolling. Not in the least!
So look at the facts:
- There was a "potential" - exploit. Not one in the wild. Just a possible one, that affects only a small subset of users
- To reduce the damage caused by their mistake, the developer unilaterally decides that its better to cripple the software through an "update" rather than give the users the information they need to make an informed decision, and decide for themselves whether they want to continue using the functions in question
- The (the developers) post on their list that they're going to intentionally cripple it through the update mechanism, doing an end-run around the whole informed consent issue, and, incidently acting illegally
So, how the fuck is this trolling? Did you see a single post with a "Burma Shave" jingle in it? NoMore Facts:
- Fact: The L'Oreal case I cited was profiled on W5 almost 20 years ago. It bankrupted the IT company. Unfortunately, it's a bit before most posters time, but it established in court that developers can't unilaterally "throw the switch".:
- Fact: It is YOUR RIGHT to be informed as to what the intent of any update is. Not just "this is an update that closes a potential exploit", but "this is an update that will intentionally fuck up any scripts that depend on this API, so if you need to make calls to gm_API_xxxx, don't patch"
- Fact: We would all be bitching if Microsoft pulled something like this. They don't. Every patch contains an explanation to what its INTENDED (as opposed to accidental side-effects) effect is, and includes the possibility to "just say no."
- Fact: We're acting like a bunch of hypocrites if we don't hold F/LOSS to the same standards of disclosure.
So, please tell us, mister A. C., just how the fuck this is a troll?As for the mods, I don't mind taking the karma hit for speaking the truth. But if they go back through my JEs, they'll also see that Troll Tuesday has ZERO to do with "trolling" in the way that you seem to think it does, and that it's more about raising the level of debate, specifically, about challenging the conventional, knee-jerk reactions that have turned slashdot into slushpot.
What is to stop a script from running that adds in malicious extensions or plugins to firefox?
Um, the fact that there's no mechanism in Firefox for a script to automatically install malicious extensions or plugins. The user has to:
1. Open a form and add the current web page to a white-list.
2. Request the same installation again.
3. Wait for a timer to count down to make sure that the user isn't automatically clicking "OK".
4. Click "OK".
I agree that this is really not stringent enough. The user should download the extension like any other file then explicitly install it. But compared to the IE experience --
1. Click "OK" on a routine jargon-filled dialog.
-- it's clear that while the Firefox installer is a bad design from a security standpoint, but it's bad like littering, not bad like grand theft auto.
No provable increase in security, because no exploit has been found in the wild? Christ. Maybe you should just stay away from computers. This update is intended to prevent unsafe scripts from executing - this is not damage, no matter how you spin it. It *is* a reduction in functionality. It is not damage. Adding a firewall via an update in Windows XP reduced functionality - it did not cause damage. This is normal, accepted, and acceptable behavior.
Your argument is totally untenable, unsupportable, and generally bullshit. Half the updates in the history of computing would be criminal by your standards. Hell, the update to FF that added the whitelist for XPI installation would be - auto installation of extensions is a feature. Thats why IE had it. But it doesn't now. Maybe you should write your district attorney.
If I got fed an update that demonstrably improved security, as this one does - by an *enormous* amount, and the fact that you consider it a minor detail demonstrates a lack of knowledge I find unsettling - at the expense of functionality - rarely used functionality, at that - no, I would not be pissed. At worst, if I needed that functionality, I would investigate the reasons behind the update and find a work around. But thats because I'm responsible about my computing habits and don't expect the little fucking computer fairy to sprinkle dust on my computer when I'm sleeping.
I find it interesting that every application has to wrestle with these problems time and time again, instead of them being solved by the operating system. The reason for all this trouble is that the Access Control List security model is inherently flawed.
Using ACLs makes us adjust permissions per user basis, while it is not the user who does (good or evil) things with the computer but the processes running on behalf of the user. Thus an application can (be tricked to) do malicious things with the user's full permissions - as if the user himself was actively and knowingly destroying his data, sending it over to an eavesdropper, etc. A correct approach would be to grant permissions to do a certain operation on a certain resource per process basis. This is what the capability based security is all about. (If I am mistaken, I hope someone more enlightened in CAP theory will correct me).
I am amazed that none of the popular operating systems implement capability based security models, since they would eliminate Confused Deputy Problems like this.
Some random links relating to Capability based security:
I know it's stallman's share everything mentality but personally I don't like my home being world readable. So I change it. But I could picture in business environments that they'd definately not like one user to read other users home. The user might not have access to the network like this, but sometimes the one machine is time shared with other employees. I think during install or something a distro should ask you how you want the default user permissions set up.
And since I've set my home this way, I assume this couldn't read my home right?
If your computer depends on the disabled functionality in the greasemonkey api, you're going to be mighty pissed. You would rather have the opportunity to work around the problem, by, for example, isolating/hardening the machines in question, rather than having them go off the air completely.
As for the Tylenol reference, there were alternative equivelent generic drugs available as a "drop-in replacement". A more apt comparison would be to, say, an operation. You are explained the risks and benefits, and then decide whether you want the "upgrade." Nobody else can make that decision for you. It's your "hardware" after all.
My whole point is that this:
... is NOT the way to handle the problem. the people affected aren't your average 'net users. Let them (the users) make the decision, based on their own risk/benefits analysis. Do you REALLY have an issue with that?I gave up smoking years ago, but you may be smoking something comparing FF to IE (I didn't even mention IE because I have no use for it).
I guess you haven't tried many browsers. My browsing goes back to the Mosaic days and I have used more browsers than you have fingers.
I challenge you to try Opera for a few weeks and then do a reality check on your statement.
Lets get the usual "but FF is free" comeback out of the way right now: Ad-sponsored Opera is free and can be set up with text ads (non-flashing) that take only 1/24th of vertical screen space (big deal). It's not much to give up for so much browser. You can also hit F11, go full screen and no ads!
Opera is not perfect, but it beat 7 shades of Hades out of every other browser that I've used in the last 10+ years (and that is quite a few).
Opera d/l about same size, installs just as fast. Try Style Sheets, Zoom, Sessions, Rewind, Fast Forward etc., etc. - real power user stuff. Opera's d/l manager is an order of magnitude better than FF. By the way, many of FF's "original" ideas were originally seen in Opera.
I'll bet you'll find that you didn't browse very efficiently and probably weren't even be aware of it. Or don't try it and never know what you're missing. It's your choice.
Now I have to agree with you about one thing:
What I'm trying to argue here is exactly that - it is your computer, and your choice as to whether to install an update that "fixes" a potential exploit by killing off functionality, after YOU have the facts and make your own risk/benefit analysis - not the developers' in trying to say its' an update, which implies a bug fix (which this is NOT).I'm not saying that patches that accidently kill off some feature are wrong - quite the contrary - only those that INTENTIONALLY do so, while posing as "updates".
What has surprised me is that so many people have come out against informed consent/refusal in this case. It looks more and more like the people who are saying that F/LOSS supporters have a double standard are on to something, and that disappoints me. Actually, it more than disappoints me - it pisses me off, because there's a certain amount of truth in it. I believed we had a double standard, but one where we held ourselves to higher standards than the "evil empire." Guess I was wrong on that one.
You explanation makes it sound very safe, but I have my doubts your explanation is correct.
It appears GM added commands to use the contents of files for it's own purposes, and the bug is that other pages not controlled by GM can get at these commands.
I find it hard to believe they implemented these commands to check for the files to be world-readable. First this would mean that anybody using GM for it's intended purpose would have to make the file it is reading world-readable, which would be sort of a security problem in it's own right (say it has secret information in it that you don't want other users of the computer to see).
Second it requires quite a bit of annoying code to check for world-readable, as opposed to just trying to read the file, and you are implying they did this correctly both for Windows and Linux.
I'm just not buying it, without a more compelling explanation as to why they would have implemented it this way.
While what you describe would be a really cool feature, it is also more easily said than done. I'm positive it could be added at some point, but it maybe isn't reasonable to expect it to be a 1.0 feature.
.exe. If this isn't clear enough to the end user, then the first thing to do would be make that more clear.
:)
It isn't enough for security features to be there-- they have to be clear. The user interface is as much a part of the security as the permissions models-- a security feature which overwhelms the user with options is as bad as no security feature at all, as they'll just click "OK" without understanding what it was they did. And the firefox devs tend to err on the side of simplicity over power. Have you seen how many really important preferences are buried in that about:config forest because they couldn't bear clutter in the Preferences dialog?
Extensions are and should be applications unto themselves; that's the point. The fact they're written in javascript rather than machine code doesn't make them different than a
Once that's past, though, it would make a lot of sense for a permissions model for extensions to be added as you suggest. If nothing else, it seems like it would be relatively easy to add an option for some or all extensions to be ratcheted down to the same permissions level as normal javascripts, rather than the extended permissions available to chrome javascripts, since many extensions don't actually take advantage of the extended permissions (as long as some kind of exception was added just large enough to allow extensions to create and edit their own preferences files). However: How should this be presented to the user?
You or I may have the ability to look at some random extension and go "well, knowing what this plugin does, it makes sense for this plugin to be able to modify DOMs and query websites, but not for it to be able to read files off the hard disk". You or I would then be able to set some checkboxes for each plugin specifying what they can and can't do in a granular fashion. But the average user doesn't understand such things, and so shouldn't be outright presented with these questions unless it's through a buried poweruser option like about:config is.
So how do we present this? Should the extensions be split into "trusted" (chrome permissions) and "untrusted" (page-level javascript permissions), and the user sees which is which when they look in the extensions dialog? Should the extension format be extended to include a requestpermisisons.rdf which results in the "would you like to install" dialog for the extension explaining to the user that this extension modifies webpages, this extension reads your hard drive, etc? Should there just be one big "allow extensions to access my hard drive" checkbox in the preferences?
I do not think the answers here are obvious. Some serious thought needs to go into this before the firefox peoples even make any attempt at implmenting it.
Anyway I suggest you file this to bugzilla as an enhancement request, or, um, exactly what is it one does with feature suggestions to mozilla?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I'm not impressed with your 25 years of coding experience either - if theres anything I've learned its that years in the industry don't amount to shit when it comes to code quality. Some of the worst crap I've ever seen has been sitting on mainframes for 20 years. The fact that you don't think that a *massive*, *critical* vulnerability - this would be earth shattering if GreaseMonkey was widely deployed - isn't something that should be closed off as quickly and as expediently as possible further reduces my total lack caring about your coding history. It would not be acceptable to leave this on updates.mozdev.org as is. It's worth noting that despite other posts in this thread, the functions removed are used fairly rarely in GM scripts, and then mostly by fairly advanced users.
The dev of GM who's responsible doesn't know a damn thing about security either, and doesn't think that way - he says as much on the ML, and he just learned a really hard lesson in it.
I can't speak for other OSS supporters, but I don't have a double standard here at all - Microsoft did the right thing in enabling it's firewall by default in SP 2, in enabling the data execution protection, and a variety of the other things it's enabled that have broken some naive programs. Doing it without a detailed explanation of why is sub optimal. I'll blame MS more for it because they have a mechanism to present that information to the user. I'll blame the Firefox devs because they didn't anticipate the need for such a mechanism in the update. I won't blame the GM dev for responding as best he can to a massive security breach.
Is greasemonky on mozdev.org? If so - can we blame mozilla/FF for a security lapse?
Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
I tried to uninstall Greasemonkey months ago. The Extensions window still says "this item will be uninstalled after you restart Firefox." What, am I supposed to wipe my whole profile now?
Greasemonkey is hardly alone. Other Firefox extensions have done this, often for what seem like less important reasons. For example, ForecastFox (a widget that uses a Web service to check the weather) changed its service provider from weather.com to accuweather, breaking many user settings that were customized to the specific data available from weather.com. The lesson is to check what changes an update makes before downloading it.
.exe and .vbs attachments automatically. That helps stop viruses, and is IMHO a good idea, but it also inconvenience the few people (other than virus writers) who used the feature.
Many security holes are the result of increased functionality, so the easiest way to fix them is to remove it. Microsoft does this all the time. For example, an update to Outlook stopped it from running
This is a security update. In order to provide it, some functionality had to be temporarily removed. If the system automatically installed the update, you'd have a valid argument.
LordBodak's journal.
I didn't say its OK to attack something because it is a security hole. I'm saying the person who supplies it can turn something off because it is a security hole. It isn't a malicious third party trying to cause harm.
So you seem to have misunderstood my line of thinking.
It would be nice if FireFox updates had some sort of info about what the update did. I've upgrade extensions in the past and had some odd things, but really its entirely my responsibility to check on what I'm downloading when I click OK.
I think perhaps some things could be learnt from this situation and it could be handled better, I won't argue with that. However when the user has agreed to the download you have their consent. Continuing to assert it is illegal when you appear on shaky ground doesn't help you other (IMO more reasonable) points that there ought to be a better way of doing this.
I still haven't had an answer on the "crippling" either, is GreaseMonkey rendered useless (seems unlikely) or just looses some functionality?
My original post stated the following:
It was only after everyone went ape-shit (something like 15 responses one after the other, al disagreeing) that I extended the argument into the legal realm. My first concern was, and still is, that this is NOT the way to handle a bug.It bears repeating: this is NOT the way to handle an exploit, a bug, a programmer error. Posting stuff like this:
... makes it sound like you don't credit your users with possessing 2 brain cells. What would be so wrong with publicizing the potential flaw, and just letting people decide for themselves whether to uninstall/install the neutered version/make their own workaround?THAT is what gets my goat!
It has nothing to do with the potential damage of the exploit. Time and again, we've heard calls from all over that F/LOSS has to take a more responsible approach. That includes being up front about mistakes, going the full disclosure route, then empowering the USER to make the decision.
Sure, we take a credibility hit temporarily, but our long-term credibility is enhanced, not degraded, by such a course.
The examples I gave of this, such as Tylenol (poisoned pills), Wendy's (finger food) , and Coke (syringes) are, I think, examples of demonstrating to the public that you DO stand behind your product, and are willing to take the hit, if and when necessary, because you have integrity.
This is what the suits want to see. This is part of what they mean by "open-source support." but people just don't get it. They still act like they can "sneak something by", or that, if ignored, it will go away.
One of these days we're going to have a major exploit that IS widely deployed, and how we react to it is going to say more about us than how quickly we patch it. Full disclosure, with cohntrol by the now-informed end user, is the only way to go, long-term.
Is what I'm saying THAT far out in left field?
It didn't take long for Scoble to try his marketroid magic to exploit the situation;
a 10693
http://radio.weblogs.com/0001011/2005/07/19.html#
"Rough week for Firefox team"
Don't forget to take a look at his comments section to see how hard his trying to spin this to show Firefox is even less secure than IE!
- sigs are for wimps.
Shouldn't it inform you first (perhaps by presenting the changelog) before screwing things up?
When I do my updates on my SuSE system, I get to see every update, and what's been changed, and I have the option of saying "no".
I also have the option of making it completely automatic. That is my choice, and I choose to say "no".
Me, I think all updates should be this way, but at the very least, updates that are known to break things should say so before install.
But one of my beefs wasn't just that there was a problem, but with the way it was handled, as I originally posted:
I keep coming back to this point, that this way of "fixing" a problem doesn't pass the "smell test" - its sleazy. As RMS says, it's about freedom, not about price. and part of freedom is that the end user should be both informed and in control, not just "well, there's an update - guess I should install it, because updates are supposed to be good for you" and cross your fingers, throw the I Ching, and hope for the best.Whatever you do, don't bother telling us non-FF users what greasemonkey does!
:)
It's discrimination I tell you... you've been after us Opera users from the start!
If I can't smoke and swear I'm fucked.
The whole legal question was a side-issue that I brought up because people were missing my main point - that users have the right to know and control what is going on with their computers.
I like the way SuSE update works. I get to select what I want to install, I have all sorts of info as to what each update does, what it provides, what issues it addresses, what it needs, dependencies, increased functionality, etc.
Its what updating should be like. Quick. Easy. Informative. Under MY control.
Now, on to your first point. Even the developer/supplier has no legal right to "turn off" something on my computer without my consent. This consent can be obtained, for example, by stating up-front that it is a time-limited demo version that dies after x number of days/runs/whatever. On a side note, even then, you are not allowed to "hold a users' data hostage" - which, believe it or not, some companies tried to do as a way of keeping their customers.
Hope this helps :-)
Mozdev, just like MozillaZine and MozillaNews is actually not part of the Mozilla Foundation and is not under their control. Thank you, please try again.
As long as the browser allows some form of plug-in which can intercept URL requests... it's going to be vulnerable to spyware.
I'm sorry, I don't understand what the browser or the plugin has to do with this. You're describing a social engineering attack. Once someone has used social engineering to run code on your computer (whether by having you download and install an application, or by having you download and install a plugin, or by having you download and run a standaline application) that's "game over". They can do anything they want.
There's no "big gaping hole" in the browser that allows this, there's simply the fact that the user has the privileges necessary to, whether from the browser or from Windows Explorer or from the shell, run an unsandboxed application.
The security hole in Internet Explorer has nothing to do with the fact that you can install plugins in it, it has only to do with how you do it.
It has been possible to install plugins, or to download and install applications, or download and run scripts, on all personal computers running all operating systems since the very first primitive bulletin board systems went up in the '70s... mere moments after personal computers became available.
Up until the late '90s, though, it was pretty much impossible for someone to launch code on your computer without you explicitly downloading and requesting the execution of that code. Oh, there had been occasional exceptions, but they never lasted long and they were never the mechanism of choice for virus distribution. Social engineering and file sharing were. So long as you were aware of the possibility of social engineering, and didn't run files other people left for you, you were safe.
There used to be a joke about a virus that you could get by just reading an email. It was the "GOOD TIMES" virus. It was a joke because everyone knew that nobody would be so stupid as to write a mail program or bulletin board client (terminal program, browser, what have you) that let someone you didn't know run code on your computer. That was insane.
The Microsoft HTML control was the first program, ever, that I am aware of that contained a mechanism to launch unsandboxed applications (scripts or plugins) from a remote site. When I saw how IE and the desktop were being integrated, I went to our managers and I said 'this is a security problem. I don't know what's going to happen, but I know that this program is going to be used to break in to people's computers. I want to ban this program from our site'. They said 'OK'. now, I suspected that the first exploits would be through Active Desktop, I was wrong about that, but I wasn't wrong about it being bad.
We used Netscape and then Mozilla for years. We occasionally had someone social-engineered into downloading and running some piece of malware, whether through email or through the web, but it was rare. Almost all of the times that I was called out to disinfect or reinstall someone's computer, it was because someone had violated our policy and used Outlook, Outlook Express, or Internet Explorer.
Later, when our parent company forced us to cahnge that policy, things got worse. But still, while I occasionally had people come to me and say "I clicked OK again, Peter, I'm sorry"... I never had them say "I downloaded and ran/installed an application/plugin and it was infected" more than once. Because there is a HUGE difference between "clicking OK" and explicitly running a program.
THAT, my friend, is the "real world". In the real world, the distance between the Microsoft HTML control and any other component used in a browser, mail program, or other application used to view remote content is so huge that equating one to the other, even when there's problems in the other application as there are in Firefox, is simply ludicrous.
It's got nothing to do with one having more choices or features, it has to do with Internet Explorer and all other applications using the Microsoft HTML
Obviously you know that the patch removes functionality, or you wouldn't be complaining about it. Since you're aware, that means you were informed (somehow). And since no one is forcing you to install the update (extension updates don't install automatically), you are in control of whether you install it or not.
Black and grey are both shades of white.
All kidding aside, I wouldn't have known if I hadn't read the article. My beef wasn't with removing functionality, it was with the way it was done, and the thought processes that seemed to be behind it (at least, from what I could tell from the post that I cut-n-pasted here that started this whole thing ...)
Add that to them possibly trying to make previous versions unavailable so that anyone who DID "update" and then found that they needed the previous functionality, and were now SOL ... as I said originally, the whole mess doesn't sit right with me.
Lets take another case. If it were, for example, software that I was using on one of the servers here, and the distro maintainers decided to pull a shot like this it would make me start checking out other distros RSN. Its about trust, open communications, and how you handle a problem.
I mean, this message:
... just doesn't pass the smell test.I've been using Greasemonkey to download mpeg files and other media files that won't run in Firefox by default. And I've been looking into creating Greasemonkey scripts to fix problems with various sites that cause Firefox fits. Many sites are only tested with IE -- and I've had all kinds of terrible things happen to my PC when I was running IE. (Some earlier comments alluded to BHOs, etc. -- that kind of thing). All of those comments casually suggesting people drop or disable Greasemonkey are less than helpful.
That is pretty low, I don't see why the Greasemonkey plugin is now supposedly representing Firefox, its just a simple developer tool that lets you add JS code to a set of pages you define. Firefox is a complete browser, much more complex and amazing at what it does. I do like Greasemonkey, and I know they will fix this is no time.
Meet new people, and kill them.
Wouldn't this class of problems be easier to avoid within SEL?
Opera User Javascript.
Why should this be done at the layer of the browser? Get a real OS with a security model based on the idea of Mandatory Access Control and you get this with every application.
It fails the three-clicks rule. ;)
Mozilla has internal support for tabs, right? I used tab extensions before mozilla had support, but now I don't see a need.
Noa troll, but curious: What features do you find you can't live without that are installed by one of the tab extensions?
It's clear that the author of this "news" didnt bother to check if an upgrade was available before posting about this.
p ?id=748
I think this is both unfair to Mozilla as to GreaseMonkey.
Please update the news as you do other times to say that users can update their GreaseMonkey installation to avoid this bug.
https://addons.mozilla.org/extensions/moreinfo.ph
Excellent effort--I commend you. GNAA quality!
So your argument is that random websites having unfettered access to world-readable files is preferential to the developers changing how their program works?
Black and grey are both shades of white.
6 clicks or 6000 clicks, who cares how many clicks for Joe sispack to install an extension, it didn't prevent GS from being a security threat.
Of course, as not all of them read slashdot, I'm at a loss as to how you think that's going to happen sans them updating and finding out why their scripts don't work.
Um, duh.
If corporations are people, aren't stockholders guilty of slavery?
Ignore him. He's harping about the 'it will automatically update itself', even though its' been explained that the phrase actually means, 'it will automatically notify you that an update is available, and you can choose whether or not to take advantage of the upgrade'.
The developers are free to change how their program works. They are NOT free to sneak those changes onto a users computer without their **informed** consent. Two different issues.
What I actually said in my original post was:
One of the freedoms of "free as in beer" software is supposed to be that YOU control your system. (I can't believe it - I'm turning into an RMS clone!)And, since so many people have taken me to task on this, I've backed up my claim of it being illegal in many jurisdictions in this reply in a JE (sorry the laws at the bottom of the post - I was replying to another poster ... you know how these things sometimes end up with long discussions ...)
What I think is preferable is what I've been saying - inform the users up front that there is a problem, and let them decide if they should remove it, work around it, or take you up on the "neutered update."
Besides, if they want to read my files, I'll just make a symlink between /dev/urandom and some interesting file names, like "latest porn collection". If you want an idea of how bad that will be for them, just run "cat /dev/urandom" in a terminal ...
Toolbars: Right click over tool bar for list of location options - left, right, top, bottom, off
Buttons: Right click over button and select remove from toolbar, or drag and drop to new location.
It took me all of 2 minutes to get rid of every toolbar and that I didn't like and put the buttons where I wanted.
Next problem?
Pardon the rest of us who have trouble believing you are a lawyer with hundreds of hours arguing cases in court, who has won *EVERY* time, and has been programming professionally for over 25 years. I'm not saying its not possible, I'm just pointing out that, based on your 'legal analysis' of this issue, its *very* difficult to believe.
A couple points:
First, the 'automatic update' is actually 'automatic update notification'. Nothing is installed without your consent. If you choose to install an upgrade without checking out the developer's site where it *does* explicitly tell you what is being changed, that's *your* problem, not his. Bitching and moaning doesn't change that.
Second, the author of Greasemonkey isn't a 'third party'. He's a 'second party'. He provided a good or service to you, and having discovered a serious issue, is doing the responsible thing, and issuing a recall.
Third, security is a feature. The update offers improved security. That is a *good* thing. Again, though, nobody is forcing you to upgrade if you consider the features lost more valuable than the security of your computer.
Fourth, stability is a feature.
Fifth, there is no legal responsibility for the author of software to never remove functionality. If there were, Microsoft would have been *heavily* fined when they released Windows ME, and would be bankrupt right now.
Sixth, if you have Greasemonkey installed on a system where you do *any* of your supposed legal work, you'd be at risk of committing legal malpractice by *not* installing the upgrade. Why? Because you are now *intentionally* putting sensitive (read 'confidential') attourney-client information at risk.
Seventh, if you really *are* a lawyer, you're an awfully stupid one to have given legal advice in the manner you have. if you *aren't* a lawyer, you're even more stupid to have given legal advice in the first place. Either way, you've opened yourself to lawsuits from people who *took* your legal advice. Not *my* problem, just wanted to point it out.
I could always cop out, and say that the solution is left as an exercise for the reader, but that IS a cop-out. There is no perfect solution. But some will read it on slashdot. Others on k5, or google news. And some won't for a while, until they get an email from a friend, or one of the tech newsletters they subscribe to. But isn't that the way it should work?
the last criminal case I argued was in 1998. This was, iirc, about the 4th (they tend to come along every decade or so).
It was fun baiting the opposition, catching them in one lie after another, and getting them so enraged that they totally lost it and had to be ejected from the courtroom - twice! It was also a good exercise in debating, finding ways to get voir-dire (heresay) testimony admitted indirectly (yes, Virginia, heresay isn't admissible in court, except when it is :-) (I know, I should write a book, but who'd believe all the shit I've done :-)
That one was 4 days, and I had the time of my life. Enjoyed every minute of it. The previous one, late '80s, iirc, was less then 10 minutes. And I won that one, too, while 63 other people lost (even though they all insisted on using a lawyer instead of taking my advice. I told them I knew more about how to do a protest legally than most lawyers, but would they listen? No ... So they all ended up with criminal records. Me? Nothing.). The one before that, early eighties, an hour or so. And I won that one too, without even working up much of a sweat.
This isn't including 2 lame-ass tickets that I won on constitutional grounds. in the early '80s when the Canadian constitution was all fresh and newly minted (I know, wtf - using the constitution to beat a ticket? Isn't that like using a grenade launcher to kill a fly? Yes. So what? It was quick, and it worked). And a bunch of civil cases (the last was earlier this year, and, again, I had FUN!!! and I won.) Want to win all the time? Simple. Pick. Your. Battles! Alwasy be reasonable, always offer to settle on reasonable terms if you're in the wrong (and even if you're in the right), and then, if you're in the right, kick them in the teeth if they're stupid enough to take you to court.
So, I hope that explains it a bit better, that unlike most slashdotters, I've had the opportunity to actually put my money where my mouth is, in terms of whether my interpretation of the law is better than someone elses ...
Now, back on to the points that are still relevant ---
I never said that software developers can't remove functionality in future releases of the product. What they don't have is the legal right to get you to remove functionality from your system under the guise of an "update". I've posted the relevent laws in a JE at the bottom of this post.
The test for informed consent is what a reasonable person would believe. A reasonable person has no reason to expect that an update will INTENTIONALLY cripple software on his computer. So my "bitching and moaning" about their clumsy, ham-handed tactics is entirely appropriate, as what the developers did was contrary to any test of "reasonable expectations."
The developer is not "issuing a recall." A recall notice clearly states the defect, it doesn't masquerade as an "update". Besides, nobody has the right to trick (remember, there is a test for reasonableness, and this soi-disant "update" fails it) a user into rendering software functional just because the developer thinks there's a problem. Or would you then argue that Microsoft or Apple should be able to arbitrarily kill off features on your computer because of what they consider a problem?
That's what you imply with the "stability is a feature" mantra. For example, if tomorrow they decide that Firef
Time to get converting your favourite Greasemonkey user scripts to full-blown Firefox extensions ;-)
Some details here http://www.keebler.net.nyud.net:8090/blog/2005/07/ 09/convert-greasemonkey-user-scripts-to-firefox-ex tensions/
In the real world, (and everyone in existence things this way except you, so deal), the default is 'be secure' and the other choice is 'or make an informed choice to be insecure'.
The other way around is completely fucking idiotic, and I'm sorry but there's no other way to describe it. People cannot possibly personally vet every single thing they own, and constantly check that hasn't been discovered it is dangerous.
However, everyone else make a note: It's okay to give Tom Hudson broken things and never inform him how dangerous they are. Luckily, we won't have to do this for long, because he will 'choose' to continue to use a car with an exploding gas tank.
Your fault for not reading the Ford owner's newsletter, I guess. Obviously, if you use Ford cars, you read their newsletter.
But forgive us if we operate as if you've already been killed and issue the updates by default. In the long term, it doesn't matter if you get killed today or tomorrow.
If corporations are people, aren't stockholders guilty of slavery?
They're not essential, but they make my browsing life a lot more pleasant!
im in ur
The point I was actually making about mozdev is that you shouldn't get malicious extensions hanging about there. Anything that is a security hazard is hopefully going to be an accidental one.
im in ur
I agree with you somewhat, but since the patch isn't automatically installed I don't think there's a problem. No one is forced to install it, coerced perhaps - but that's not always a bad thing.
Black and grey are both shades of white.