A new beta of the popular Firefox browser extension fixes a potentially dangerous security vulnerability.
A new beta of the popular Greasemonkey browser extension has been released to fix a well-knownand potentially dangeroussecurity vulnerability.
The security upgrade comes less than two weeks after the discovery of the flaw which prompted a major uninstall warning
because of the risk of file hijack attacks.
The flaw is so serious that developers have warned users to completely uninstall Greasemonkey versions prior to 0.3.5.
is a Firefox add-on that lets users load custom scripts to modify Web sites on the fly.
According to Aaron Boodman, one of the maintainers of the project, the Greasemonkey 0.5 patch "completely disabled" several important classes of attacks.
"This has been fixed by moving user script execution away from content completely," Boodman said in a notice on the Greaseblog support site
Click here to read more about a critical Greasemonkey flaw.
With the fix, Greasemonkey will now execute user scripts in a separate objecta "sandbox"which is not part of the content window. "That means that content scripts cannot access it, and thus, cannot employ any of the tricks above to get access to the special GM APIs," Boodman added.
In earlier versions, it was also possible to block Greasemonkey itself by redefining certain content DOM methods that it used to inject scripts. "This has been fixed in [Greasemonkey] 0.5 by only ever accessing content via the special XPCNativeWrapper objects provided by Firefox for this purpose," he explained.
Another security issue with the "GM_xmlhttpRequest" feature has also been fixed to block that request from accessing the "file://" protocol to read local files.
Even with the patched version, Boodman made a point to warn that "no software is ever perfectly secure."
"Greasemonkeys entire point of existence is to mash code from two different trust domains into the same space, so it has been particularly tricky. This will be an ongoing fight. But for now, I believe that there are no known major security issues with Greasemonkey 0.5 and that it is safe to use," he added.
In addition to the security fixes, Boodman said the new beta includes several new features and bug fixes.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.