Slashdot Mirror
Firefox Greasemonkey Extension Security Problem
Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"
"Time to uninstall GM?"
Why not just do what the article says and "Install Greasemonkey 0.3.5"
My lame blog.
According to Firefox extensions site, you need to "uninstall or upgrade now." The post is from today.
Falun Dafa is good!
Time to try out Opera's User JavaScript.
Opera Watch - An Opera browser blog.
A severe security issue has been discovered in Greasemonkey versions prior to 0.3.5 as well as the early 0.4 alphas which some people may have installed.
Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately.
More information on Greaseblog.
Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction.
For example, you could:
Make sure that all URLs displayed in the browser are clickable links Improve the usability of a site you frequent Route around common and annoying website bugs Use the Coral content network selectively.
Getting started:
Install Greasemonkey 0.3.5. Learn how to use Greasemonkey. Find useful scripts.
Greasemonkey was heavily inspired by Adrian Holovaty's site-specific extension for All Music Guide and the conversation which ensued after he published it. There were tons of sites I wanted to create SSE's for, but fully-fledged firefox extensions proved too cumbersome. I wanted it to be as easy to create an SSE as it is to write DHTML.
The current maintainers are Aaron Boodman and Jeremy Dunck with the invaluable help of an awesome community of user script enthusiasts.
For questions or comments about greasemonkey, please send a message to the greasemonkey mailing list. Copyright © 2000-2005. All rights reserved. Terms of Use & Privacy Policy.
Notice hoe they avoid explaining the problem/solution. They just want you to see these new exciting features, and download it now!
Time is comparison of movement to other movement.
The flaw applies to Greasemonkey on all platforms.
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
Calm down? What that means is people will be alerted by the Mozilla update feature that an update is available. They can still not update. But this is a GOOD THING since not everyone who uses GM reads slashdot or the GM web site!
You're correct. It was discovered by a white hat.
It should be up to the individuals to decide if they want to make such significant mods to their system as purposefully crippling software.
You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the icon?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Go to "tools", go to "Extensions", click on the greasmonkey extension and click "uninstall" or "update".
multifariam.net -- yet another nerd blog
for clarification, the parent is referring to the article that says at the bottom "This is why God invented the tag.", you just cant see the blink-part since the parent didnt post in extrans.
In 1986 I wrote a Commodore 64 terminal program that allowed BBS' to download and run bits of assembly code onto the user's machine in order to enhance the user's experience. It took about 48 hours before someon posted a message that executed a jump to address 64738 -- system reset.
Bad idea then. Worse idea now, no matter how much supposed security you surround it with.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
The firefox guys should have realized that extensions are a HUGE security threat
The Firefox guys did; fortunately this has very little to do with FF extensions! It's an issue with GreaseMonkey User Scripts, which are javascript files run by the Greasemonkey extension. Extensions are OK; certain Greasemonkey user scripts *may* not be.
For anyone who's never heard of GreaseMonkey - DON'T PANIC! It doesn't affect you: nothing to see here, move along, please.
For folk who use GreaseMonkey, continue to exercise caution when you install user scripts (for non-GM people, user scripts are installed by visiting a javascript on the web, giving you the opportunity to read it) - READ THOSE SCRIPTS FIRST, PEOPLE!
Apologies for the shouting, but this stuff's important. Just not that important.
This is where the serious fun begins.
Microsoft's Anti-Spyware monitors the installation of BHOs. BHOs can easily be blocked or removed: MS Antispyware > Advanced Tools > System Explorers > Internet Explorer > IE BHOs.
EVERYONE WHO HAS GREASEMONKEY INSTALLED IS AT RISK!
Malcious webpages can just hook into greasemonkey functionality, and use it to read local content, regardless of userscript. And then there's of course also the risk of untrusted userscripts doing bad things, but that is equivalent to untrusted extensions. Like the parent says, use caution, and don't install without reading the sourcecode first.
Not that anyone ever does that for extensions. Not even the addons.mozilla.org people. Bad Firefox extensions! No cookie!
but this isn't a security hole in FF. it's a security hole in an extension. dontcha understand the difference, wee man? :rolleyes:
It's not that minimal, really. And if you stick to extensions from mozdev.org then there's an auditing body for you, as well. Most of the useful extensions are high profile, anyway, and so they are screened by more people, because you only really need a few to actually make Firefox significantly slicker (Adblock, Bugmenot, Web developer, some kind of Tab extension)
im in ur
Moderators please be aware. If you look at The parent poster's slashdot journal you will find that in the last two entries he (1) announces a "troll tuesday" dedicated to posting trolls and (2) directly links his post here today, with the header "flamewar!".
It seems fairly clear, based on his journal entries in which he expresses an intent to troll and then links this post; and the nonsensical and extreme viewpoint expressed in the parent post, and the bait-and-switch method by which he argues one thing in the top-level post then switches to something entirely different in the replies; that "tomhudson" is purposefully trolling, then using his journal to show off his post to the troll community to gather support and possibly upmods.
Please react accordingly.
IIS 6 Exploits
Apache 2.0x.
Please do some basic research before making comments on security.
Have you ever been to a turkish prison?
This is one of the reasons that I avoid FF. It's pretty minimal out of the box.
Pretty minimal? WTF are you smoking? Firefox does everything for me right out of the box that I could ever ask it to do. I have installed it (total time including download less then a minute in most costs) on machines all over the place in lieu of using IE. I never have to download any extensions or plugins for it.
In fact the only plugin that I have installed on FF at home is Macromedia Flash. Other then that it comes with everything I need.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Greasemonkey 'adds' stuff to Javascript. Any page on the internet can use these additions.
If you have Greasemonkey installed, and Javascript enabled (Greasemonkey is rather pointless without Javascript anyway.), you are at risk.
You can't 'be safe' by only doing certain things, because the flaw is that any page on the internet can call Greasemonkey functions. (Any page that can use Javascript, at least.) It has nothing to do with you.
It is possible to use Greasemonkey with the NoScript extension to disable Javascript globally and then re-enable it only on a few trusted sites...but no one uses Greasemonkey on 'trusted' sites, we use(d) it to hack up stupid-ass pages that had eight square inch of content per page with the rest ads and fancy graphics.
If you absolutely require Greasemonkey to make some internal site work, and are willing to disable Javascript on the entire rest of the internet, NoScript might be worth a try. Otherwise, get rid of Greasemonkey, NOW.
If corporations are people, aren't stockholders guilty of slavery?
I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.
.mozilla (Linux) My Documents (Windows)
/home/$USER on my machine is (700 or rwx------) which prevents /home/$USER/.mozilla/firefox/* from being displayed (and just to be safe all things ~/.mozilla/* should be 700)
/etc folder (Linux's folder for configuration) because a lot of it is owned by root with 700 or 770 permissions. So that leaves for the most part things that a hacker could have already found out if they had just used nmap on my system. Same goes for Windows.
Because someone has discovered this problem, one can now fix the problem. That is the whole idea of Open Source and all that rot. If anyone would love to submit a patch for Windows 95 to make it run longer than 52.5 days, I'm waiting. It's a known problem, why isn't it fixed? Well because someone, somewhere said they weren't going to fix Windows 95 because it's too old. Which this is the case a lot in closed source. you know there is a bug and you'd like something to be done about it, but nothing will be done unless MS sees that a patch for the software is a cost justified.
Also aside from the fact that this is an extension of Firefox, I know it's just as bad as if the package was faulty. Up till today I had never heard of this extension. So I'm not sure as to how widespread this problem is, but I'm guessing that good chunck of all Firefox users do not have GM.
To top it all off, the writers of GM have issued a fix for their extension by means of version 3.5. Yes I know it breaks API compatibilty, which sounds like something MS would do, but just like what the Mozilla team did with IDN, they turned IDNs off until they could make a good way of handling them. Which the Mozilla team came up with a fix in a fairly decent amount of time. I find it highly possible that this peice of software will do likewise. As opposed to MS breaking things with SP2 and then telling all of the vendors to just get over it, (which I will agree that only a small amount, twenty or so, of vendors got 'left behind', so not horrible, just bad.)
Now secondly, from the story, GM only returns results of files that are world readable (aka the Everyone group if you are a Windows person). Now, I'm not sure how everyone has their system setup so this could all vary from one person to another.
In Linux my home directory (the one with all my private stuff) is only owner read, write, traversable (700 or rwx------).
If I remember correctly, in Windows the C: (root) drive's premissions for the Everyone group is.
-Traverse/Execute
-List Folder/Read
-Read Attributes
-Read Permissions
(I may have missed a few because I don't have a Windows machine handy)
At no part is write premission granted to Everyone.
Therefore, your OS is mostly secure to protect you from getting some form of malware on your system.
However, this does allow someone to read data from your system if, and this is the big if, you set your private stuff as world readable (aka readable by the Everyone group.)
Which as far as I know all of your cookies and history is stored somewhere in
Which as stated previously
Now if I correctly remember for Windows, My Documents, does not even have an entry for the Everyone group to do jack crap with. I know, gasp , Windows Permissions actually working for the user?!
So this leaves the would be hacker mostly your system configuration (and not even the good parts) left open to be read. I know they can't read a bunch of my
I mean really, what good does it do one to only be able to read the boot.ini file??? "Ok, now I know you have two installs of Windows, or you use the Windows bootloader to load Linux for you (or what not.)" It's not like they can change it, only read it.
This problem isn't a very high security threat if you have some wits about you, but it is a problem indeed and it needs to be fixed. However, this problem is being hyped up as if this was allowing world write access to your system, which is just not the case.
Surprisingly enough, IIS5, still in wide use, has unpatched vulnerabilities.
OK, stop with the pure FUD. Using the Secunia link you provided, it shows that IIS5 has one unpatched vulnerability, which is rated Not Critical, which is the lowest rating possible. Not only are the unpatched flaws in Apache more serious, there are also more of them! Please, stop with the BS.