Slashdot Mirror
Firefox Greasemonkey Extension Security Problem
Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"
Just more ammo for the mega-powers to say, "See, when it becomes mainstream, it becomes more insecure. Come back to windows."
Marvelous.
Luke
----
Be smart. Teach others. ChristianNerds.com
The firefox guys should have realized that extensions are a HUGE security threat, possibly even worse than anything that's come out of IE. What they should have done is setup some permissions from the first place, so that you can allow or prevent extensions from performing sensitive operations. Something similar to the Java security model would have been good enough
See, you're making the (frequently-made) mistake of assuming that people actually read anything but the headline of the articles they're referencing.
Although the "average user" won't be using the various plugins, Microsoft will still point to this as one more reason to say that FireFox isn't secure. Sure, FireFox has it's bugs. We need to get fixing them.
I'm not saying that FireFox is perfect. Obviously, it's not, and this article is a case in point. It's still the browser I use. For me, this is a warning to fix things or wait for them to stable up (oh yeah -- that mindset shown, I am a Debian user). But just like we use any little IE thing to say "See, IE is junk," this'll get used too.
*sigh* The joys of conflict.
Luke
----
Smarten up your stupider-than-you coworkers, send them to ChristianNerds.com
Oh, wait I don't browse as root already!
Guess it can't access "all" the files on my system then, can it?
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
(MAN) Sirs, I am in dire need of a web-browser! The one thus furnished to me by Mr. Gates of Redmond is rickety and unsafe, and prone to inviting the most deadly of spy-ware into my parlor!
(MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
(MAN) Why then I shall have one immediately!
(LATER)
(RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
(MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.
(LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)
(MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!
I bet you a dollar those scripts won't work if you uninstall GreaseMonkey, too.
OMG! I hope I don't get exploited... or the attackers may get hold of this exciting information:
bin boot dev etc home initrd lib lost+found man media misc mnt opt proc root sbin selinux srv sys tftpboot tmp usr var
Tsunami -- You can't bring a good wave down!
"It's not a bug it's a feature" are quite likely words never actually spoken by any representive of Microsoft.
However there is a reason for this attatude.
Bug that makes it possable to run code on remote users box:
Users say "Oh no bug bug. Get rid of it"
Develupers say "Ohh feature feature keep it, expand it"
Security experts say "Bug"
If the develupers provide a strong enough argument the "bug" is classified as a feature and remains.
I don't actually exist.
StudyING it (it takes time) and they HAVE found it is not secure, just like the millions of eyes are supposed to do.
One of them is bound to notice, eh?
So it works! Sweet!
Sam
blog.sam.liddicott.com
No matter how secure the core Firefox code is, it is all meaningless with the current extensions model. With the current model (or lack of one) a malicious (or plain buggy) extension can turn Firefox into a bigger threat than IE.
From my understanding, Firefox extensions aren't restricted from doing I/O or listening on sockets/etc. What's to prevent somebody from writing a seemingly harmless extension which silently dumps all activity logs or other information to an outside listener?
A Java type sandbox model, while a reasonable analogy would IMHO be overly restrictive for extensions, which need to be more closely tied into Firefox than most Java applets need to be to do all the cool things that they currently do (eg: the Tabbrowser Extension) .
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
This is one of the reasons that I avoid FF. It's pretty minimal out of the box. Plugins from everywhere are promoted as what really makes it sing, but to me this seems to add a big risk. Yeah, open source, thousands of eyeballs, yadda, yadda, but how many people seriously have time or skills to review all the code for themselves and why should I trust that some strangers have done a good (or any) review on my behalf? Too risky - I'll stick with Opera, thanks.
I admit that I haven't yet tried out GreaseMonkey, but when I look at the exploit code it raises one really big question. Why isn't there some way to prevent non-user script from accessing the GreaseMonkey objects? Wouldn't this allow the user to retain all the ability they have now while rendering scripts from malicious sites harmless? Seeing as how GM is meant to be a means for the user to use scripts to modify pages, it seems very odd that anything outside of user script would be able to access its functionality.
I realize it's likely due to the nature of Firefox's JS interpreter, but if this sort of separation isn't viable could someone enlighten me as to why?
In the future, all spacecraft will be made of cheese.
Why would you say that a sandbox model is overly restrictive? The Java sandbox model has many routes out; it means that you can specify what permissions an application has, not forbid all of them. The Java model comes with nearly all permissions set to "no", but they can be opened.
That said, I haven't seen a really good way to manage permissions. It's just not practical for an applet to say, "In order to run this, you need these 47 permissions" and expect you to fix that. With cleverness the modeler could create roles with aggregates of permissions, so that you can say, "This app needs access to your browser UI" (like Tabbrowser).
Still, that's asking the user to make a lot of security judgments based on trust. Some extensions/applets/ActiveX should be allowed to modify your hard disk; most shouldn't. How can the user tell?
It's a hard problem, one that I don't have a good answer to. I know Microsoft's solution (based purely on a yes/no trust decision) sucks. But I'd say the problem isn't the over-restrictiveness of the sandbox, but the difficulty of asking the user to manage his/her sandbox well.
I'm not sure why this post got modded as flamebait, It's somthing that will happen. As FF gets more popular more holes will be found, some won't get reported right away. MS aren't the only people that don't write 100% secure code.
Its not a hole in Firefox....
You choose whether or not to install a plugin.
Firefox, without any extensions, is probably hundreds of times safer then IE. Comparing Firefox with a bad plugin installed to IE, which is full of holes out of the box, is like comparing a Ferrari with a flat tire to a old junker and saying the junker is better.
IE's vulerabilites are admittedly in the same area. It is not that IE installs bad code, it is that it allows bad code to be installed. I don't see the difference. I am not defending IE at all, but Firefox is starting to quack like a duck too, it seems to me.
Perhaps there is some credibility to the arguement that once usage of a software package becomes widespread enough, there will be people who find ways to use it to their (malicious) advantage, regardless of the built in security features.
What part of "Its broke, here's the fix" do you not understand?
While some kind of "security" layer sounds nice, I'd like to know what you suggest, specifically. A popup box saying "this site is requesting permission to read file X"? User clicks ok, every time, and they quit looking at it after a while. Then you wrote this:
There's really no way an extension to a Firefox app could get the penetration that IE had. Maybe AdBlock could get to 95% of the Firefox base, so if Firefox had 95% of the market, it could have the kind of numbers IE had in its heyday. Those are a couple of really big ifs, so I don't think your "worse than anything that's come out of IE" is at all justified. I'm not trying to hide behind obscurity, but just saying that your hyperbole is misplaced.
How many IE users have been hit by spyware? 40%, 50%, something like that? Come on.
sigs, as if you care.
---
Light is filtering down from above. Would you like to use DIVE?
Generated by SlashdotRndSig via GreaseMonkey
Why is it that when you believe something it's an opinion, but when I believe something it's a manifesto?
Gator and Weatherbug are not illegal, sadly - the EULA as justification for inclusion has been upheld. The user is in fact getting a bug fix - the bug that allowed for a major security breach is being removed. You may not like that bug fix, but sucks to be you. GM is not disabled by this update and many scripts will continue to run. Insecure scripts will not.
Huh?
Calling it an update, when in actual fact its not
I assure you, every user in the world who is not insane considers "removes a vulnerability that potentially allows any website to read your hard drive" an "update".
I also assure you that if you want to engender trust among your users, removing as immediately as possible bits that would allow any website to read your hard drive is the way to do it.
If upgrades that incidentally break features are illegal, then every single software company in the world would be in jail by now. The legal reference you are vomiting all over this comment tree has nothing whatsoever to do with what WebMonkey did today, it concerns something different.
If you're so incredibly upset that a point release of a minor third-party extension for a minority web browser broke something minor in the process of fixing a truly huge and dangerous broken aspect of the previous point release, then the thing to do would be re-install the previous point release, not come make 30 posts whining about it on slashdot.
the update mechanism is different under linux
I have not used the firefox extention functionality under linux, but the documentation indicates you are flat out wrong here.
In any case, if you wish to turn off the automatic update notify feature for extensions, instructions on how to do so can be found here.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
I'm gonna get troll rated for this, but whatever.
So basically... Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.
Yeah, yeah.. It's Greasemonkey... it's some stupid add-in piece that you have to explicitly install.
But that's also the way most spyware get's on IE. People get prompted "Please download and install this, and make sure you say 'Yes' when prompted is that ok?"
and people do it...
why? Because they are promised free porn, free poker, free music, or a free trip to Nigeria to collect their $10 million.
Welcome to the real world!
I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.
I've been arguing that the Firefox XPI model needs to be re-evaluated from a security standpoint for some time now.
1. Installing XPIs should not be initiated from a web page. They should be downloaded and manually installed, like any other application or application plug-in. This would allow any attacks that involve using the installer for privilege escalation to be eliminated.
2. Expanded rights should not be granted to any javascript that has not been explicitly installed.
3. As a corollary to this, any method that leads to an eval should, when run from a script that's part of chrome, unconditionally revoke those rights. A new method that explicitly evals code with greater rights with a name that makes it clear that it's dangerous can be added if it's actually necessary.
I find it interesting that every application has to wrestle with these problems time and time again, instead of them being solved by the operating system. The reason for all this trouble is that the Access Control List security model is inherently flawed.
Using ACLs makes us adjust permissions per user basis, while it is not the user who does (good or evil) things with the computer but the processes running on behalf of the user. Thus an application can (be tricked to) do malicious things with the user's full permissions - as if the user himself was actively and knowingly destroying his data, sending it over to an eavesdropper, etc. A correct approach would be to grant permissions to do a certain operation on a certain resource per process basis. This is what the capability based security is all about. (If I am mistaken, I hope someone more enlightened in CAP theory will correct me).
I am amazed that none of the popular operating systems implement capability based security models, since they would eliminate Confused Deputy Problems like this.
Some random links relating to Capability based security: