Greasemonkey opens hole in Firefox
A serious security flaw has been discovered in Greasemonkey, a widely used extension to the Mozilla Firefox browser.
The bug is the third annoyance affecting Firefox users in the space of only a few days, following a successful attack on the Spread Firefox marketing site, and a Firefox update that broke many third-party extensions.
Greasemonkey is an extension, or add-on, to Firefox that allows users to customize the sites they view using powerful scripting tools. The problem is that certain of Greasemonkey's functions are exposed in an insecure way, allowing them to be exploited by a malicious site.
Specifically, a site could read the contents of specific files on a user's system, or could list the contents of a user's hard drive, according to researchers. The bug affects any operating system running the extension. The bug is only exploitable if Greasemonkey is configured to run scripts on the malicious Web site, for example if the extension is set up to run on all sites the user browses.
"Running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site," wrote Mark Pilgrim, who discovered the flaw, in an email to the Greasemonkey mailing list this week. If users have configured the extension to run their scripts on any site they visit, this "can expose the contents of every file on your local hard drive to every site you visit".
Greasemonkey's developer advised users to upgrade to the most recent version, 0.3.5, which fixes the problem by disabling the tool's more advanced features. The bug affects all previous versions, researchers said.
Firefox doesn't have an equivalent of ActiveX, the component of Microsoft Internet Explorer that allows Web sites to run powerful scripts on a user's system, which is often used in attacks and in spyware. Firefox extensions can be as powerful as the developer likes, but cannot automatically install themselves as can ActiveX controls.
» posted by abennett
Techworld.com
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
