Slashdot Mirror
Firefox Greasemonkey Extension Security Problem
Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"
OMFG - I cannot believe that you are such a TOTAL FUCKING LOSER.
... look ... here he goes.... YES - this DUMB FUCKFACE has just wasted one of his precious mod points on modding down the first post.
Yes, I am talking to you - the 'moderator' with the small penis and no clue - you know who you are - you are the only STUPID IDIOT reading this post, and
Wow - what a DICKHEAD you are. Gee, I bet your mums proud though, isnt she? What? she thinks you are a total fuckhead as well? - well what do you know!
It's about time people start writing some exploits for firefox!
http://www.dreamsyssoft.com
Nothing for you to see here. Please move along.
Quick, lets band together with a magician and a warrior and stomp those bow&arrow shootin mofos before they take over the internet!
Damn Microsoft! No doubt this can be traced to a Bill Gates directed consipracy against rebel browsers.
The only PT Boat Journal on the web: http://www.PT171.org
are going to produce some vulnerabilities along with the gee-whiz plugins of the moment. That's pretty spectacular, though.
Don't disappoint your bird dog. Go to the range.
Just more ammo for the mega-powers to say, "See, when it becomes mainstream, it becomes more insecure. Come back to windows."
Marvelous.
Luke
----
Be smart. Teach others. ChristianNerds.com
"Time to uninstall GM?"
Why not just do what the article says and "Install Greasemonkey 0.3.5"
My lame blog.
The firefox guys should have realized that extensions are a HUGE security threat, possibly even worse than anything that's come out of IE. What they should have done is setup some permissions from the first place, so that you can allow or prevent extensions from performing sensitive operations. Something similar to the Java security model would have been good enough
According to Firefox extensions site, you need to "uninstall or upgrade now." The post is from today.
Falun Dafa is good!
Time to try out Opera's User JavaScript.
Opera Watch - An Opera browser blog.
If you build an engine that allows you to write scripts that modify any page you view, there are obviously serious security flaws.
Allowing scripts to open files and send them elsewhere is especially bad, but there was a huge security concern to me either way. I like the concept of GreaseMonkey, but choose not to install it.
/. ++
This jsut goes to show the Microsoft isn't the only company who writes insecure software. I seriously doubt any company can write 100% secure software, so I base my judgement on if they can quickly fix holes that are found and learn from their mistakes.
Voice your opinion!
Here are some more details from the posting thread, which explains why the exploit is so bad...
This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer.
f ile-leak.html
returns the contents of c:\boot.ini, which exists on most modern
Windows systems.
http://diveintogreasemonkey.org/experiments/local
But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)
In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.
The above information posted originally by Mark Pilgrim
A severe security issue has been discovered in Greasemonkey versions prior to 0.3.5 as well as the early 0.4 alphas which some people may have installed.
Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately.
More information on Greaseblog.
Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction.
For example, you could:
Make sure that all URLs displayed in the browser are clickable links Improve the usability of a site you frequent Route around common and annoying website bugs Use the Coral content network selectively.
Getting started:
Install Greasemonkey 0.3.5. Learn how to use Greasemonkey. Find useful scripts.
Greasemonkey was heavily inspired by Adrian Holovaty's site-specific extension for All Music Guide and the conversation which ensued after he published it. There were tons of sites I wanted to create SSE's for, but fully-fledged firefox extensions proved too cumbersome. I wanted it to be as easy to create an SSE as it is to write DHTML.
The current maintainers are Aaron Boodman and Jeremy Dunck with the invaluable help of an awesome community of user script enthusiasts.
For questions or comments about greasemonkey, please send a message to the greasemonkey mailing list. Copyright © 2000-2005. All rights reserved. Terms of Use & Privacy Policy.
Notice hoe they avoid explaining the problem/solution. They just want you to see these new exciting features, and download it now!
Time is comparison of movement to other movement.
From the Thread.
This is why God invented the tag.
Finally a good reason to use it!
-Pizentios
We can blame God for all kinds of things like hurricanes and Godzilla but it's a safe bet that we brought THAT scourge upon ourselves.
EvilCON - Made Famous by
Is this a Windows only feature, or do us linux users get to enjoy it also?
GETPKG - Package Management for Slackware
Personally, someone could read my entire hard drive and it wouldn't bother me much. I don't keep sensitive information on my computer, because any computer connected to the internet should be considered insecure.
what sig?
Although the "average user" won't be using the various plugins, Microsoft will still point to this as one more reason to say that FireFox isn't secure. Sure, FireFox has it's bugs. We need to get fixing them.
I'm not saying that FireFox is perfect. Obviously, it's not, and this article is a case in point. It's still the browser I use. For me, this is a warning to fix things or wait for them to stable up (oh yeah -- that mindset shown, I am a Debian user). But just like we use any little IE thing to say "See, IE is junk," this'll get used too.
*sigh* The joys of conflict.
Luke
----
Smarten up your stupider-than-you coworkers, send them to ChristianNerds.com
If the Bitch from Redmond pulled a stunt like that, we'd be all over them like viruses on a Windows Box.
Purposefully breaking an app because of a possible exploit is arrogant, dishonest, alarmist, and just plain stupid. If we applied the same thinking to all other areas of our life, we wouldn't be able to do anything, paralyzed by possible fear of a possible bad meal, a potential flat tire, a possible power failure.
It's open source so millions of eyes have studied it to make sure it's secure...
looks like mozilla update is down !!
ahh ahh!!
every thing said and done... all softwares are as buggy if not worse than microsoft products
Would anyone have that info to post?? Thanx
Wait, What?
Firefox burns greasemonkey cuz it's made of fat But Seamonkey beats firefox because it extinguishes the fire. Then Greasemonkey beats seamonkey because it can float in water AND walk on land. my 2.56 cents
\u262D = \u5350
Oh, wait I don't browse as root already!
Guess it can't access "all" the files on my system then, can it?
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
I use Greasemonkey in conjunction with NoScript - an extension which prevents any site from using Javascript unless it is added to the whitelist maintained in the extension.
To run a Greasemonkey script on a page you have to allow that domain or subdomain in NoScript. This prevents Greasemonkey being used on a rogue page as I wouldn't use a script on an uber-dodgy site anyway!.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
(MAN) Sirs, I am in dire need of a web-browser! The one thus furnished to me by Mr. Gates of Redmond is rickety and unsafe, and prone to inviting the most deadly of spy-ware into my parlor!
(MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
(MAN) Why then I shall have one immediately!
(LATER)
(RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
(MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.
(LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)
(MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!
Never send a Monkey to do a Gorilla's job or at least give him double the bananas. That's what I always say.
mcwidget.
I mean the number of people that leave their administrator account still called administrator and with either a blank password or just "password" you don't need obscure exploits to get sensitive data of most people's computers.
what a pissy fristy pisty.
It should be up to the individuals to decide if they want to make such significant mods to their system as purposefully crippling software.
You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the icon?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
"It's not a bug it's a feature" are quite likely words never actually spoken by any representive of Microsoft.
However there is a reason for this attatude.
Bug that makes it possable to run code on remote users box:
Users say "Oh no bug bug. Get rid of it"
Develupers say "Ohh feature feature keep it, expand it"
Security experts say "Bug"
If the develupers provide a strong enough argument the "bug" is classified as a feature and remains.
I don't actually exist.
StudyING it (it takes time) and they HAVE found it is not secure, just like the millions of eyes are supposed to do.
One of them is bound to notice, eh?
So it works! Sweet!
Sam
blog.sam.liddicott.com
Under the "Tools" menu in firefox there should be an "Extensions" menu item. It will pull up a list of the extensions you have installed. You can choose Greasemonkey from that list and hit the "uninstall" or "update" buttons.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Isn't this a huge hole in firefox as a whole? What is to stop extensions from being added to my browser that open it up to malicious content? Isn't this the same as the problems that IE has? IE is fine until you start allowing plug-ins, add-ons and scripts. What is to stop a script from running that adds in malicious extensions or plugins to firefox? Turn off the feature? I can do that in IE too? Am I missing something here or isFirefox no more secure that Firefox?
No matter how secure the core Firefox code is, it is all meaningless with the current extensions model. With the current model (or lack of one) a malicious (or plain buggy) extension can turn Firefox into a bigger threat than IE.
From my understanding, Firefox extensions aren't restricted from doing I/O or listening on sockets/etc. What's to prevent somebody from writing a seemingly harmless extension which silently dumps all activity logs or other information to an outside listener?
A Java type sandbox model, while a reasonable analogy would IMHO be overly restrictive for extensions, which need to be more closely tied into Firefox than most Java applets need to be to do all the cool things that they currently do (eg: the Tabbrowser Extension) .
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Isn't XMLHTTPRequest only supposed to work within a single domain (e.g. I can't send any requests from one of my servers to one of my blogs)? If so then why has this become a problem? And why some developers have disabled some security measures built in by other developers into the object?
./R My blog
They're beyond recovery at this point since everyone wants all the kewl extension stuff and there are an endless supply of idiots who think they can just patch pass a fundemental flaw in security. Yes you want a secure sandbox but it won't be possible at this point. You need to drop back to a more secure point of defence. It won't be the OS, not if windows is any indication of lack of security. It would have to be something at the hardware or virtual hardware level. So a dedicated browser machine running in a dmz or on a virtual machine without access to any sensitive files or resources. I'm not too familiar with VMWare but the mainframe vm's were all about security.
It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest.
Only if the browser has all the rights, which is a very dumb thing to do no matter the platform.
On my main Un*x box, Firefox was installed in a normal user account (using the
I'm pretty sure that Firefox/GM installed in a non-privileged user account under Win2000/XP doesn't allow to access any file from the hard disk either.
I'm not trying to defend poor coding/security practice made by people who certainly should know better, but it's simply misinformation to say that access to the files accessible from a user account is equivalent to "all the files on the harddisk".
This is one of the reasons that I avoid FF. It's pretty minimal out of the box. Plugins from everywhere are promoted as what really makes it sing, but to me this seems to add a big risk. Yeah, open source, thousands of eyeballs, yadda, yadda, but how many people seriously have time or skills to review all the code for themselves and why should I trust that some strangers have done a good (or any) review on my behalf? Too risky - I'll stick with Opera, thanks.
In 1986 I wrote a Commodore 64 terminal program that allowed BBS' to download and run bits of assembly code onto the user's machine in order to enhance the user's experience. It took about 48 hours before someon posted a message that executed a jump to address 64738 -- system reset.
Bad idea then. Worse idea now, no matter how much supposed security you surround it with.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I admit that I haven't yet tried out GreaseMonkey, but when I look at the exploit code it raises one really big question. Why isn't there some way to prevent non-user script from accessing the GreaseMonkey objects? Wouldn't this allow the user to retain all the ability they have now while rendering scripts from malicious sites harmless? Seeing as how GM is meant to be a means for the user to use scripts to modify pages, it seems very odd that anything outside of user script would be able to access its functionality.
I realize it's likely due to the nature of Firefox's JS interpreter, but if this sort of separation isn't viable could someone enlighten me as to why?
In the future, all spacecraft will be made of cheese.
Why would you say that a sandbox model is overly restrictive? The Java sandbox model has many routes out; it means that you can specify what permissions an application has, not forbid all of them. The Java model comes with nearly all permissions set to "no", but they can be opened.
That said, I haven't seen a really good way to manage permissions. It's just not practical for an applet to say, "In order to run this, you need these 47 permissions" and expect you to fix that. With cleverness the modeler could create roles with aggregates of permissions, so that you can say, "This app needs access to your browser UI" (like Tabbrowser).
Still, that's asking the user to make a lot of security judgments based on trust. Some extensions/applets/ActiveX should be allowed to modify your hard disk; most shouldn't. How can the user tell?
It's a hard problem, one that I don't have a good answer to. I know Microsoft's solution (based purely on a yes/no trust decision) sucks. But I'd say the problem isn't the over-restrictiveness of the sandbox, but the difficulty of asking the user to manage his/her sandbox well.
Don't add grease(monkey) to fire(fox).
so you don't browse as root. on most linux setups, that means you can't read other user's directories (do you really have lots of sensitive files lying around in /root?). truth is, web servers shouldn't be able to read files on your computer unless you specify exactly what to read (uploads are the only thing i can think of)--if this greasemonkey thing isn't a security flaw, i don't know what is.
on the plus side, it seems to me that it wouldn't be too hard to run mozilla under a very restricted user, who can basically write to a downloads directory and read from a preferences directory. that pretty much eliminates any problems to be had. seems like a pretty big end-all solution to me.
Everyone knows that non-Microsoft software has no security flaws. I blame Bill. Shame on you Microsoft!
The answer is: you. If you have half a brain you won't install extensions you know nothing about from sources you just met. Even if you would, Firefox would prevent you until you white-list the site. In IE, the stuff not only comes with the browser, but it's integrated into the browser and cannot be removed (activex, security holes, etc)
In what will surely be flamed or moderated down..... Mozilla(Firefox, etc) is reaching the point where competing with Microsoft becomes hard/more fair to microsoft. Their install base has grown past the "anti-microsoft-for-the-sake-of-anti-microsoft" people and now it has become a target that actually is large enough to aim at. Some estimates have Mozilla market share as high as 25%. This means that there are now people actively searching for security holes, as well as problems with updating the install base, for fear of obsoleting plugins and extentions. It will be interesting to see what happens as Mozilla foundation naturally looses momentum as they try to re-wage the browser wars. -- Posted from Mozilla 1.7.8
While some kind of "security" layer sounds nice, I'd like to know what you suggest, specifically. A popup box saying "this site is requesting permission to read file X"? User clicks ok, every time, and they quit looking at it after a while. Then you wrote this:
There's really no way an extension to a Firefox app could get the penetration that IE had. Maybe AdBlock could get to 95% of the Firefox base, so if Firefox had 95% of the market, it could have the kind of numbers IE had in its heyday. Those are a couple of really big ifs, so I don't think your "worse than anything that's come out of IE" is at all justified. I'm not trying to hide behind obscurity, but just saying that your hyperbole is misplaced.
How many IE users have been hit by spyware? 40%, 50%, something like that? Come on.
sigs, as if you care.
There are security holes in the software you use. ----- Period
heck is with all these posts saying, in essence, "as firefox gains marketshare, more exploits will be written for it"? Granted, that is very true but the exploit in question is for an extension and not the browser itself. Who actually uses the extension anyway?
Internet Explorer is way more secure and reliable. I went to a porno site yesterday and a pop-up asked me if I'd like to learn how to increase my penis size! How'd they know?!!! They must be reading my mind!
The next day, IE automatically took me to that site when I opened it up! In fact this page showed me a list of other sites I might like to visit like explicit hentai, rape videos, and scat! It was as if me and my browser mind-melded!
I like that when I was asked to pay for the penis-enhancing pills that I was redirected to site 135.34.65.256 instead of having enlargeyourlittlemember.com in my history list (wanna surprise the wife..)
It's been three months and I haven't got my pills yet. I think the postman is swiping them. (always wondered how he could steer his mail jeep and hand out mail at the same time.)
Where was I? Oh yeah, Firefox is a more secure browser, just don't use monkey grease.
It only makes sense that Greasemonkey would provide a rich medium for exploits. However, let's not throw out the baby with bathwater with reactionism. This is an obstacle / opportunity to help Greasemonkey to evolve, perhaps to Grease-Neanderthal. I would like to add, once again Lynx proves itself the uber-browser.
One ring to bind them - should probably have more fiber and less rings in their diet.
First of all, the problem with GM is not with malicious user scripts, or at least that's only as much of a problem as malicious extensions, and user scripts may even be less so so they are easier to read.
The problem lies in the interaction between certain API's and the DOM. They aren't seperated, and a malicious page can use the API's to execute remove commands, including accessing local files.
That seems like a big problem, until you realize, as the people working on this do, that a malicious webpage must be in the included list to utilize this exploit.
In other words, site specific user scripts, what GM was designed to impliment, are only vulnerable if that site passes malicious javascript.
Non-site specific user scripts, like Linkify, are the issue. They can easily be disabled in Tools>Manage User Scripts. They can generally be identified because they have a "*" or other general includes instead of a specific site url.
Don't believe me? test it yourself, here, with the example exploit. If all you see is a blank page, then congratulations your GM is probably still secure.
http://www.santacruzbynight.com/index.shtml Santa Cruz By Night Vampire Larp
No matter how you try, client-side JavaScript will never be secure.
Interestingly enough, IE's equivalent, Turnabout doesn't seem to have this bug.
1. Open a new tab .xpi link onto the new tab
:)
2. Drag and drop the
3. Profit!!!!
Bypasses the whitelist every time, not that I'd advise getting into that habit
Lets blame on Microsoft (not just IE), praise firefox (& Linux) and keep quiet.
Huh?
Calling it an update, when in actual fact its not
I assure you, every user in the world who is not insane considers "removes a vulnerability that potentially allows any website to read your hard drive" an "update".
I also assure you that if you want to engender trust among your users, removing as immediately as possible bits that would allow any website to read your hard drive is the way to do it.
If upgrades that incidentally break features are illegal, then every single software company in the world would be in jail by now. The legal reference you are vomiting all over this comment tree has nothing whatsoever to do with what WebMonkey did today, it concerns something different.
If you're so incredibly upset that a point release of a minor third-party extension for a minority web browser broke something minor in the process of fixing a truly huge and dangerous broken aspect of the previous point release, then the thing to do would be re-install the previous point release, not come make 30 posts whining about it on slashdot.
the update mechanism is different under linux
I have not used the firefox extention functionality under linux, but the documentation indicates you are flat out wrong here.
In any case, if you wish to turn off the automatic update notify feature for extensions, instructions on how to do so can be found here.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Peace! Make Love, Not War! Free Love and Hard Drives!
I'm gonna get troll rated for this, but whatever.
So basically... Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.
Yeah, yeah.. It's Greasemonkey... it's some stupid add-in piece that you have to explicitly install.
But that's also the way most spyware get's on IE. People get prompted "Please download and install this, and make sure you say 'Yes' when prompted is that ok?"
and people do it...
why? Because they are promised free porn, free poker, free music, or a free trip to Nigeria to collect their $10 million.
Welcome to the real world!
It's not that minimal, really. And if you stick to extensions from mozdev.org then there's an auditing body for you, as well. Most of the useful extensions are high profile, anyway, and so they are screened by more people, because you only really need a few to actually make Firefox significantly slicker (Adblock, Bugmenot, Web developer, some kind of Tab extension)
im in ur
Moderators please be aware. If you look at The parent poster's slashdot journal you will find that in the last two entries he (1) announces a "troll tuesday" dedicated to posting trolls and (2) directly links his post here today, with the header "flamewar!".
It seems fairly clear, based on his journal entries in which he expresses an intent to troll and then links this post; and the nonsensical and extreme viewpoint expressed in the parent post, and the bait-and-switch method by which he argues one thing in the top-level post then switches to something entirely different in the replies; that "tomhudson" is purposefully trolling, then using his journal to show off his post to the troll community to gather support and possibly upmods.
Please react accordingly.
This is one of the reasons that I avoid FF. It's pretty minimal out of the box.
Pretty minimal? WTF are you smoking? Firefox does everything for me right out of the box that I could ever ask it to do. I have installed it (total time including download less then a minute in most costs) on machines all over the place in lieu of using IE. I never have to download any extensions or plugins for it.
In fact the only plugin that I have installed on FF at home is Macromedia Flash. Other then that it comes with everything I need.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
By the way, "Greasemonkey Hacks" is DEAD until we fix this. And I'm
posting a big red blinking warning on every page of
diveintogreasemonkey.org advising visitors to uninstall it, until all
of these security holes are closed. This is why God invented the
<blink> tag.
And I just realized I changed my sig from the old anti-<blink> one. Poo.
I hate grammar Nazi's.
Not to feed the troll, but...
Firefox requires you to explicitly install extensions. Not only must you click install, it makes you read the install dialog (the "Install" button is greyed out for a period after the window pops up). Oh, and it needs to be a trusted site too.
Most spyware gets into IE by exploiting bugs so that you never see the install.
This is largely because of IE's marketing game. At some point, the web browser threatened the traditional application space. Put less kindly, all of those VB monkeys (not to be confused with programmers) would lose their jobs because of those darned web page thingies.
Microsoft threw the web people a curve ball with IE. They attacked open standards with their negligence, gave the VB monkeys a mechanism to spread their pox on the world (ActiveX), and created a new, exciting way to be tied to Microsoft (ActiveX and IE in general).
Before Microsoft, 9 out of 10 people weren't clever enough to "develop software". Of course, they aren't now either, but they can make it look decent enough. It's no wonder that people trying to make real progress have to deal with this kind of overgeneralized tripe.
More to the point, any web browser needs a plugin architecture to be extensible. All of your assertions above blithely assume this is not your problem. Regardless, the only way to allow:
a) Extensibility
and
b) Security
is to allow the user to provide the security layer. People miss this, but there is no way (and likely will never be any way) to have a computer recognize what is malicious. At some point, the user will always have to make the choice to install something that fundamentally changes the computer. At that point, there will always be this problem.
The catch is, IE often will allow installations without so much as a prompt. This is the problem. So, actually, IE *DOES* install bad code. It often does so because IE contains broken code itself.
In this case, Firefox functioned within the security model and the use instructed it to install code which was broken. That was the problem. Worlds of difference here. This is a GreaseMonkey problem, pure and simple.
Put another way, remove GreaseMonkey from the equation and there ceases to be a problem. Well, unless you continue to maintain that a browser (or any software) should magically infer intent, in which case I have some snake oil to sell you--assuming Microsoft has left you with any money.
I think Mauve has the most RAM. --PHB (Dilbert Comic)
Parent is absolutely correct. Of course, it will be ground into "-1, flamebait" dust in about 10 minutes.
Denial is always the proper approach when dealing with liberals.
"Those Mozilla Society rapscallions! I'll give them what for!"
Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.
Not quite.
The big problem with IE is not just that it has a plug-in mechanism, but it has a plug-in mechanism that's based on the HTML control (the actual browser component) assigning the right to install plugins to an object (the web page) based on an ad-hoc security model that's based on the location the object is believed to originate. Certificates, security dialogs, and so on... these are layered on top of this, but basically the HTML control is responsible for figuring out if a "dangerous" action should be allowed with no more than hints from the calling applications, and a jargon-filled dialog box that the user has to decide on RIGHT AWAY.
I get calls from my users all the time that are variants on "this dialog box came up and I hit 'yes' without thinking".
So... the control is pervasive, it's used by lots of applications, the API can't be significantly changed without creating a mass upgrade day for every app that uses it, responsibility is placed in the wrong place, and the user interaction encourages mistakes.
Firefox's extension mechanism has a similar problem with its installer, but:
The extension installation mechanism is part of Firefox, not the Gecko HTML display object, so applications using gecko aren't automatically exposed as well.
The Firefox extension API does not depend on the installer's behaviour, it's possible for Firefox to switch to a more secure download-and-install design without breaking any applications.
The user interaction requires three separate steps, and there's no path through those steps that simply answering "yes" by reflex will result in the extension being installed.
In addition, in Windows, there have been a number of attacks that involved tricking the HTML control into thinking that a remotely downloaded object was local... or even already installed. This approach is not possible in Firefox because instead of allowing plugins to run from anywhere except the places it thinks are dangerous, it doesn't allow plugins to run from anywhere except a specific directory that's got a randomly generated name in its path so it can't be targeted by a download.
I would still recommend using a shell other than Firefox around a Gecko- or KHTML- based browser. I use Camino (Gecko) and Safari (KHTML) on Mac OS X, but I'm sure there are equivalents to these for Windows. But regardless, the exposure from using Firefox is so far less than using IE that if Firefox and IE are your only choices... use Firefox.
I do not recommend using the Netscape browser, because of the way it allows the use of either Gecko or the Microsoft HTML control.
I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.
.mozilla (Linux) My Documents (Windows)
/home/$USER on my machine is (700 or rwx------) which prevents /home/$USER/.mozilla/firefox/* from being displayed (and just to be safe all things ~/.mozilla/* should be 700)
/etc folder (Linux's folder for configuration) because a lot of it is owned by root with 700 or 770 permissions. So that leaves for the most part things that a hacker could have already found out if they had just used nmap on my system. Same goes for Windows.
Because someone has discovered this problem, one can now fix the problem. That is the whole idea of Open Source and all that rot. If anyone would love to submit a patch for Windows 95 to make it run longer than 52.5 days, I'm waiting. It's a known problem, why isn't it fixed? Well because someone, somewhere said they weren't going to fix Windows 95 because it's too old. Which this is the case a lot in closed source. you know there is a bug and you'd like something to be done about it, but nothing will be done unless MS sees that a patch for the software is a cost justified.
Also aside from the fact that this is an extension of Firefox, I know it's just as bad as if the package was faulty. Up till today I had never heard of this extension. So I'm not sure as to how widespread this problem is, but I'm guessing that good chunck of all Firefox users do not have GM.
To top it all off, the writers of GM have issued a fix for their extension by means of version 3.5. Yes I know it breaks API compatibilty, which sounds like something MS would do, but just like what the Mozilla team did with IDN, they turned IDNs off until they could make a good way of handling them. Which the Mozilla team came up with a fix in a fairly decent amount of time. I find it highly possible that this peice of software will do likewise. As opposed to MS breaking things with SP2 and then telling all of the vendors to just get over it, (which I will agree that only a small amount, twenty or so, of vendors got 'left behind', so not horrible, just bad.)
Now secondly, from the story, GM only returns results of files that are world readable (aka the Everyone group if you are a Windows person). Now, I'm not sure how everyone has their system setup so this could all vary from one person to another.
In Linux my home directory (the one with all my private stuff) is only owner read, write, traversable (700 or rwx------).
If I remember correctly, in Windows the C: (root) drive's premissions for the Everyone group is.
-Traverse/Execute
-List Folder/Read
-Read Attributes
-Read Permissions
(I may have missed a few because I don't have a Windows machine handy)
At no part is write premission granted to Everyone.
Therefore, your OS is mostly secure to protect you from getting some form of malware on your system.
However, this does allow someone to read data from your system if, and this is the big if, you set your private stuff as world readable (aka readable by the Everyone group.)
Which as far as I know all of your cookies and history is stored somewhere in
Which as stated previously
Now if I correctly remember for Windows, My Documents, does not even have an entry for the Everyone group to do jack crap with. I know, gasp , Windows Permissions actually working for the user?!
So this leaves the would be hacker mostly your system configuration (and not even the good parts) left open to be read. I know they can't read a bunch of my
I mean really, what good does it do one to only be able to read the boot.ini file??? "Ok, now I know you have two installs of Windows, or you use the Windows bootloader to load Linux for you (or what not.)" It's not like they can change it, only read it.
This problem isn't a very high security threat if you have some wits about you, but it is a problem indeed and it needs to be fixed. However, this problem is being hyped up as if this was allowing world write access to your system, which is just not the case.
The problem is that the user code becomes part of the page, so they are in the same security context, but we could require the GM functions to require a hash to be passed, this hash would be generated for each machine, so, code coming from the net would not know the hash and would be unable to access the functions, but code coming from the user would have the correct hash, and so would be executed ...
WTF am I doing replying to an AC at 5 A.M on a Friday night?
..that Mozilla is having lots of problems lately..
U need flash?
Just because it CAN be done, doesn't mean it should!
I would like to first address a lot of the people who are taking this as a chance to really dog Firefox and the Open Source Community as a failure on their part.
I've been arguing that the Firefox XPI model needs to be re-evaluated from a security standpoint for some time now.
1. Installing XPIs should not be initiated from a web page. They should be downloaded and manually installed, like any other application or application plug-in. This would allow any attacks that involve using the installer for privilege escalation to be eliminated.
2. Expanded rights should not be granted to any javascript that has not been explicitly installed.
3. As a corollary to this, any method that leads to an eval should, when run from a script that's part of chrome, unconditionally revoke those rights. A new method that explicitly evals code with greater rights with a name that makes it clear that it's dangerous can be added if it's actually necessary.
Seems like the problem is fairly obvious. Executable code is sometimes malicious. That's kind of just part of the whole "General purpose" computing thing. The same thing goes for any executable on any system.
And the solution is hte same: don't use executables (scripts) from dodgy sources. And since greasemonkey scripts are by definition open source (little 'o'), and usually not very long, it's trivial check for flaws or exploits. If not yourself, some white hat out there will do it.
So in other words, business as usual.
Stupid like a fox!
Why? Because I can't believe that anyone would be STUPID enough to try to "fix" a potential exploit in such a dumb-as way. And that, when I called "bullshit" on it, I immediately got dumped on by a bunch of syncopating knee-jerk "open source devs can do no wrong" posters who don't want us to operate to the same standards as closed-source devs? Yeah, its a flame war, all right, but its not trolling. Not in the least!
So look at the facts:
- There was a "potential" - exploit. Not one in the wild. Just a possible one, that affects only a small subset of users
- To reduce the damage caused by their mistake, the developer unilaterally decides that its better to cripple the software through an "update" rather than give the users the information they need to make an informed decision, and decide for themselves whether they want to continue using the functions in question
- The (the developers) post on their list that they're going to intentionally cripple it through the update mechanism, doing an end-run around the whole informed consent issue, and, incidently acting illegally
So, how the fuck is this trolling? Did you see a single post with a "Burma Shave" jingle in it? NoMore Facts:
- Fact: The L'Oreal case I cited was profiled on W5 almost 20 years ago. It bankrupted the IT company. Unfortunately, it's a bit before most posters time, but it established in court that developers can't unilaterally "throw the switch".:
- Fact: It is YOUR RIGHT to be informed as to what the intent of any update is. Not just "this is an update that closes a potential exploit", but "this is an update that will intentionally fuck up any scripts that depend on this API, so if you need to make calls to gm_API_xxxx, don't patch"
- Fact: We would all be bitching if Microsoft pulled something like this. They don't. Every patch contains an explanation to what its INTENDED (as opposed to accidental side-effects) effect is, and includes the possibility to "just say no."
- Fact: We're acting like a bunch of hypocrites if we don't hold F/LOSS to the same standards of disclosure.
So, please tell us, mister A. C., just how the fuck this is a troll?As for the mods, I don't mind taking the karma hit for speaking the truth. But if they go back through my JEs, they'll also see that Troll Tuesday has ZERO to do with "trolling" in the way that you seem to think it does, and that it's more about raising the level of debate, specifically, about challenging the conventional, knee-jerk reactions that have turned slashdot into slushpot.
What is to stop a script from running that adds in malicious extensions or plugins to firefox?
Um, the fact that there's no mechanism in Firefox for a script to automatically install malicious extensions or plugins. The user has to:
1. Open a form and add the current web page to a white-list.
2. Request the same installation again.
3. Wait for a timer to count down to make sure that the user isn't automatically clicking "OK".
4. Click "OK".
I agree that this is really not stringent enough. The user should download the extension like any other file then explicitly install it. But compared to the IE experience --
1. Click "OK" on a routine jargon-filled dialog.
-- it's clear that while the Firefox installer is a bad design from a security standpoint, but it's bad like littering, not bad like grand theft auto.
I find it interesting that every application has to wrestle with these problems time and time again, instead of them being solved by the operating system. The reason for all this trouble is that the Access Control List security model is inherently flawed.
Using ACLs makes us adjust permissions per user basis, while it is not the user who does (good or evil) things with the computer but the processes running on behalf of the user. Thus an application can (be tricked to) do malicious things with the user's full permissions - as if the user himself was actively and knowingly destroying his data, sending it over to an eavesdropper, etc. A correct approach would be to grant permissions to do a certain operation on a certain resource per process basis. This is what the capability based security is all about. (If I am mistaken, I hope someone more enlightened in CAP theory will correct me).
I am amazed that none of the popular operating systems implement capability based security models, since they would eliminate Confused Deputy Problems like this.
Some random links relating to Capability based security:
I know it's stallman's share everything mentality but personally I don't like my home being world readable. So I change it. But I could picture in business environments that they'd definately not like one user to read other users home. The user might not have access to the network like this, but sometimes the one machine is time shared with other employees. I think during install or something a distro should ask you how you want the default user permissions set up.
And since I've set my home this way, I assume this couldn't read my home right?
I gave up smoking years ago, but you may be smoking something comparing FF to IE (I didn't even mention IE because I have no use for it).
I guess you haven't tried many browsers. My browsing goes back to the Mosaic days and I have used more browsers than you have fingers.
I challenge you to try Opera for a few weeks and then do a reality check on your statement.
Lets get the usual "but FF is free" comeback out of the way right now: Ad-sponsored Opera is free and can be set up with text ads (non-flashing) that take only 1/24th of vertical screen space (big deal). It's not much to give up for so much browser. You can also hit F11, go full screen and no ads!
Opera is not perfect, but it beat 7 shades of Hades out of every other browser that I've used in the last 10+ years (and that is quite a few).
Opera d/l about same size, installs just as fast. Try Style Sheets, Zoom, Sessions, Rewind, Fast Forward etc., etc. - real power user stuff. Opera's d/l manager is an order of magnitude better than FF. By the way, many of FF's "original" ideas were originally seen in Opera.
I'll bet you'll find that you didn't browse very efficiently and probably weren't even be aware of it. Or don't try it and never know what you're missing. It's your choice.
...Uninstall Firefux and install IE instead.
Open source = more secure???? Riiiiiiiiiiiiight.
MICROSOFT RULES!!!!!!!!!!!
----- Open Source = More Secure (mmmmkay)
You explanation makes it sound very safe, but I have my doubts your explanation is correct.
It appears GM added commands to use the contents of files for it's own purposes, and the bug is that other pages not controlled by GM can get at these commands.
I find it hard to believe they implemented these commands to check for the files to be world-readable. First this would mean that anybody using GM for it's intended purpose would have to make the file it is reading world-readable, which would be sort of a security problem in it's own right (say it has secret information in it that you don't want other users of the computer to see).
Second it requires quite a bit of annoying code to check for world-readable, as opposed to just trying to read the file, and you are implying they did this correctly both for Windows and Linux.
I'm just not buying it, without a more compelling explanation as to why they would have implemented it this way.
While what you describe would be a really cool feature, it is also more easily said than done. I'm positive it could be added at some point, but it maybe isn't reasonable to expect it to be a 1.0 feature.
.exe. If this isn't clear enough to the end user, then the first thing to do would be make that more clear.
:)
It isn't enough for security features to be there-- they have to be clear. The user interface is as much a part of the security as the permissions models-- a security feature which overwhelms the user with options is as bad as no security feature at all, as they'll just click "OK" without understanding what it was they did. And the firefox devs tend to err on the side of simplicity over power. Have you seen how many really important preferences are buried in that about:config forest because they couldn't bear clutter in the Preferences dialog?
Extensions are and should be applications unto themselves; that's the point. The fact they're written in javascript rather than machine code doesn't make them different than a
Once that's past, though, it would make a lot of sense for a permissions model for extensions to be added as you suggest. If nothing else, it seems like it would be relatively easy to add an option for some or all extensions to be ratcheted down to the same permissions level as normal javascripts, rather than the extended permissions available to chrome javascripts, since many extensions don't actually take advantage of the extended permissions (as long as some kind of exception was added just large enough to allow extensions to create and edit their own preferences files). However: How should this be presented to the user?
You or I may have the ability to look at some random extension and go "well, knowing what this plugin does, it makes sense for this plugin to be able to modify DOMs and query websites, but not for it to be able to read files off the hard disk". You or I would then be able to set some checkboxes for each plugin specifying what they can and can't do in a granular fashion. But the average user doesn't understand such things, and so shouldn't be outright presented with these questions unless it's through a buried poweruser option like about:config is.
So how do we present this? Should the extensions be split into "trusted" (chrome permissions) and "untrusted" (page-level javascript permissions), and the user sees which is which when they look in the extensions dialog? Should the extension format be extended to include a requestpermisisons.rdf which results in the "would you like to install" dialog for the extension explaining to the user that this extension modifies webpages, this extension reads your hard drive, etc? Should there just be one big "allow extensions to access my hard drive" checkbox in the preferences?
I do not think the answers here are obvious. Some serious thought needs to go into this before the firefox peoples even make any attempt at implmenting it.
Anyway I suggest you file this to bugzilla as an enhancement request, or, um, exactly what is it one does with feature suggestions to mozilla?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Is greasemonky on mozdev.org? If so - can we blame mozilla/FF for a security lapse?
Opera, Proxomitron-Grypen,GPG 0x0A1C6EE3
I tried to uninstall Greasemonkey months ago. The Extensions window still says "this item will be uninstalled after you restart Firefox." What, am I supposed to wipe my whole profile now?
Greasemonkey is hardly alone. Other Firefox extensions have done this, often for what seem like less important reasons. For example, ForecastFox (a widget that uses a Web service to check the weather) changed its service provider from weather.com to accuweather, breaking many user settings that were customized to the specific data available from weather.com. The lesson is to check what changes an update makes before downloading it.
.exe and .vbs attachments automatically. That helps stop viruses, and is IMHO a good idea, but it also inconvenience the few people (other than virus writers) who used the feature.
Many security holes are the result of increased functionality, so the easiest way to fix them is to remove it. Microsoft does this all the time. For example, an update to Outlook stopped it from running
It didn't take long for Scoble to try his marketroid magic to exploit the situation;
a 10693
http://radio.weblogs.com/0001011/2005/07/19.html#
"Rough week for Firefox team"
Don't forget to take a look at his comments section to see how hard his trying to spin this to show Firefox is even less secure than IE!
- sigs are for wimps.
Whatever you do, don't bother telling us non-FF users what greasemonkey does!
:)
It's discrimination I tell you... you've been after us Opera users from the start!
If I can't smoke and swear I'm fucked.
Mozdev, just like MozillaZine and MozillaNews is actually not part of the Mozilla Foundation and is not under their control. Thank you, please try again.
As long as the browser allows some form of plug-in which can intercept URL requests... it's going to be vulnerable to spyware.
I'm sorry, I don't understand what the browser or the plugin has to do with this. You're describing a social engineering attack. Once someone has used social engineering to run code on your computer (whether by having you download and install an application, or by having you download and install a plugin, or by having you download and run a standaline application) that's "game over". They can do anything they want.
There's no "big gaping hole" in the browser that allows this, there's simply the fact that the user has the privileges necessary to, whether from the browser or from Windows Explorer or from the shell, run an unsandboxed application.
The security hole in Internet Explorer has nothing to do with the fact that you can install plugins in it, it has only to do with how you do it.
It has been possible to install plugins, or to download and install applications, or download and run scripts, on all personal computers running all operating systems since the very first primitive bulletin board systems went up in the '70s... mere moments after personal computers became available.
Up until the late '90s, though, it was pretty much impossible for someone to launch code on your computer without you explicitly downloading and requesting the execution of that code. Oh, there had been occasional exceptions, but they never lasted long and they were never the mechanism of choice for virus distribution. Social engineering and file sharing were. So long as you were aware of the possibility of social engineering, and didn't run files other people left for you, you were safe.
There used to be a joke about a virus that you could get by just reading an email. It was the "GOOD TIMES" virus. It was a joke because everyone knew that nobody would be so stupid as to write a mail program or bulletin board client (terminal program, browser, what have you) that let someone you didn't know run code on your computer. That was insane.
The Microsoft HTML control was the first program, ever, that I am aware of that contained a mechanism to launch unsandboxed applications (scripts or plugins) from a remote site. When I saw how IE and the desktop were being integrated, I went to our managers and I said 'this is a security problem. I don't know what's going to happen, but I know that this program is going to be used to break in to people's computers. I want to ban this program from our site'. They said 'OK'. now, I suspected that the first exploits would be through Active Desktop, I was wrong about that, but I wasn't wrong about it being bad.
We used Netscape and then Mozilla for years. We occasionally had someone social-engineered into downloading and running some piece of malware, whether through email or through the web, but it was rare. Almost all of the times that I was called out to disinfect or reinstall someone's computer, it was because someone had violated our policy and used Outlook, Outlook Express, or Internet Explorer.
Later, when our parent company forced us to cahnge that policy, things got worse. But still, while I occasionally had people come to me and say "I clicked OK again, Peter, I'm sorry"... I never had them say "I downloaded and ran/installed an application/plugin and it was infected" more than once. Because there is a HUGE difference between "clicking OK" and explicitly running a program.
THAT, my friend, is the "real world". In the real world, the distance between the Microsoft HTML control and any other component used in a browser, mail program, or other application used to view remote content is so huge that equating one to the other, even when there's problems in the other application as there are in Firefox, is simply ludicrous.
It's got nothing to do with one having more choices or features, it has to do with Internet Explorer and all other applications using the Microsoft HTML
I've been using Greasemonkey to download mpeg files and other media files that won't run in Firefox by default. And I've been looking into creating Greasemonkey scripts to fix problems with various sites that cause Firefox fits. Many sites are only tested with IE -- and I've had all kinds of terrible things happen to my PC when I was running IE. (Some earlier comments alluded to BHOs, etc. -- that kind of thing). All of those comments casually suggesting people drop or disable Greasemonkey are less than helpful.
That is pretty low, I don't see why the Greasemonkey plugin is now supposedly representing Firefox, its just a simple developer tool that lets you add JS code to a set of pages you define. Firefox is a complete browser, much more complex and amazing at what it does. I do like Greasemonkey, and I know they will fix this is no time.
Meet new people, and kill them.
Wouldn't this class of problems be easier to avoid within SEL?
Opera User Javascript.
Why should this be done at the layer of the browser? Get a real OS with a security model based on the idea of Mandatory Access Control and you get this with every application.
It fails the three-clicks rule. ;)
Mozilla has internal support for tabs, right? I used tab extensions before mozilla had support, but now I don't see a need.
Noa troll, but curious: What features do you find you can't live without that are installed by one of the tab extensions?
It's clear that the author of this "news" didnt bother to check if an upgrade was available before posting about this.
p ?id=748
I think this is both unfair to Mozilla as to GreaseMonkey.
Please update the news as you do other times to say that users can update their GreaseMonkey installation to avoid this bug.
https://addons.mozilla.org/extensions/moreinfo.ph
Excellent effort--I commend you. GNAA quality!
6 clicks or 6000 clicks, who cares how many clicks for Joe sispack to install an extension, it didn't prevent GS from being a security threat.
Toolbars: Right click over tool bar for list of location options - left, right, top, bottom, off
Buttons: Right click over button and select remove from toolbar, or drag and drop to new location.
It took me all of 2 minutes to get rid of every toolbar and that I didn't like and put the buttons where I wanted.
Next problem?
Time to get converting your favourite Greasemonkey user scripts to full-blown Firefox extensions ;-)
Some details here http://www.keebler.net.nyud.net:8090/blog/2005/07/ 09/convert-greasemonkey-user-scripts-to-firefox-ex tensions/
They're not essential, but they make my browsing life a lot more pleasant!
im in ur
The point I was actually making about mozdev is that you shouldn't get malicious extensions hanging about there. Anything that is a security hazard is hopefully going to be an accidental one.
im in ur