Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Greasemonkey Gets Security Makeover



 By: Ryan Naraine
2005-08-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A new beta of the popular Firefox browser extension fixes a potentially dangerous security vulnerability.

A new beta of the popular Greasemonkey browser extension has been released to fix a well-known—and potentially dangerous—security vulnerability.

The security upgrade comes less than two weeks after the discovery of the flaw which prompted a major uninstall warning because of the risk of file hijack attacks.

The flaw is so serious that developers have warned users to completely uninstall Greasemonkey versions prior to 0.3.5.

Greasemonkey is a Firefox add-on that lets users load custom scripts to modify Web sites on the fly.

According to Aaron Boodman, one of the maintainers of the project, the Greasemonkey 0.5 patch "completely disabled" several important classes of attacks.

Resource Library:

In Greasemonkey 0.3.4, it was possible for JavaScript on Web pages to use DOM mutation events to get references to the special GM API functions. This could be exploited by a malicious hacker to gain access to the contents of every file on an affected users local hard drive.

"This has been fixed by moving user script execution away from content completely," Boodman said in a notice on the Greaseblog support site.

Click here to read more about a critical Greasemonkey flaw.

With the fix, Greasemonkey will now execute user scripts in a separate object—a "sandbox"—which is not part of the content window. "That means that content scripts cannot access it, and thus, cannot employ any of the tricks above to get access to the special GM APIs," Boodman added.

In earlier versions, it was also possible to block Greasemonkey itself by redefining certain content DOM methods that it used to inject scripts. "This has been fixed in [Greasemonkey] 0.5 by only ever accessing content via the special XPCNativeWrapper objects provided by Firefox for this purpose," he explained.

Another security issue with the "GM_xmlhttpRequest" feature has also been fixed to block that request from accessing the "file://" protocol to read local files.

Even with the patched version, Boodman made a point to warn that "no software is ever perfectly secure."

"Greasemonkeys entire point of existence is to mash code from two different trust domains into the same space, so it has been particularly tricky. This will be an ongoing fight. But for now, I believe that there are no known major security issues with Greasemonkey 0.5 and that it is safe to use," he added.

In addition to the security fixes, Boodman said the new beta includes several new features and bug fixes.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Greasemonkey Gets Security Makeover
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r㶲s\@♵M"b{)ْmؖI*EBc"){~u~|.dLb["h4y$ W7-gL.]sfS;uA@ [!%w> '(+ԯ1mnf]S/ _hoL|Nშ :#:@.Pk< Z57껲54o/ne0S-ڎIQ>)֐NմImZ/P8$H.wH~ThgeMGQR`F Cw*Nul9 Q!W2/Fӽ8t[h  5ya_;U'iv;P;U{QUh/E@^cBȡ[Rh=3dc7.{ -,v2K*-aе :9z u v}J@J73ҧ }KH;R@}ky>5I ib1lp2E%$7 .mqS`?Ķh¹p\.* }= :ԍ|$ .j.s&"U-wS&>Cɤ:ZdQ}9e, f4öCCٰ4\>jrTW#x`9ؖ3lTzEÝ3۟](Uw9.C[w5-uP\vNni\u?/.-N|'oLZ.JT:( Ԙ8|5 uz P%opAIS# Ԏ40" J1~̢2q}oU}s}I}r~|i"|c9̠VPAf`W+e`=m>_svZ9ސVcCV|BCj`BәcYueUo~9c_CMXCEC0j#3?]$?_tNHA҉,-0N`mYn_H!-a(7fhX@?$eR2ML9X@/@שS aWtB=88m&T7oh2 4 .Ϭzh-Aho*K>Lru&@Sk~$GM ]sΚb.L2<|){mZ—W/(AK/ ڊ5|*(if){΀/3A.r)i  6=aB+^뻹(4l=j\gQwW9Q] K\M흛ǘ+}7NvW.~lzͳ6LqJjhX.B2iKB0.pkꛛZrG_)C>ѯ+r%(NLf[ԑplPòǔIGz}~? aO>lZꎓz>:AGAtišh4έP7&h`C:}ҍ;L 'pGbdx: C 04LH#AтMtT;n]`2Z9<L&zVt#` VGPC!nH }P(Vr`{>[S9{ݲeǀԜu%w2J}cn.O)))I.B$(ZȻ"!Alq [$t Xxl++~#AvGBjy?mlry wrsyd&,gQY,p[/)͙J2d0U Q򍜘=b`&Qea*0pRx5Vn,`o+GvP#&G#˰` 3G }= 3̲M҄%Ll;!i`0Ґ(eNa9熳~Lh?wܰHz}O VV̚3=P.Ƈ5œL{nlQr`8 0:|Ch2iMYguϳ-jəSN`cܑn̜07ÚL ~Dg詅m>`T4fs)wdmr)s77UBsNHB/W2 \_&VAB5 6d:ɤPl';oWfaD6#ΜD(MCZ&3 O.4uD8_-OAU&4%qӠ8TQƮ?CU^ٯVR8;OZV*ժ 5ǩUT\=W*ov L3)' Sf N|_ћxoũ1ztI9[J0t .rɵ>gs||ujN8alEc>eLZrlxTa5£M۩{ 0v?\ j Y58._g0p4J 922f`KP hԻu(bH=#CpBEWFڬ,t[4CuλWԲ)OkX@Aܚ:z,-HT0  d5}u*ՃZIe߯YUbY چHB&:GdHC>+`Zv*wj6Jh)XS!RW dĞeeKEdkC鳨ݙY$8MGFi$]k|[P vfVɭ>ZvN'_&Ʀ(ɘVNaۂf28ڇF18=[ ٔ|{.r 5:߼=Fh=Нt;Ǻq7ֿ,WE8&ϡRB7PUL xg4sDcC6VNMƏvpTm"z';"#^)9o$ L3)㦧RV*5 VN^Aұg.@C׳@g.7^y" ς2DД4Ϩ;Rb i kGQh-BwEj `3W?f44NcVqDM?ҁh)03fMٸUvJ0i5I+JZ{̡=2f{cV$ƾ.ܓG\\׆hoy!?"XWSwgtṡ)uRfCi5jZ)}#0Lpĵ)$gG }O.lU*JtP(]HX9H(P YGۻBlpI75 ),Ը'^`>"uZEg7W-s49Sj67 EGW%'K;{-g[I7S+t,#?]/8ʚ=?E]Nju>!94tYAG$ r>c]Zim}z{H&iR'D[3pu*lKhw QZ4ղoeW!=Cp0 š!l QڕCr^TAUbݩc3cE)vwR6x}y9b1 ?ݞne)ܱr0jw操~;Oj9vЛS}NԢnLq;f='Fs9X 1#6q pv#(;A\[𣉣S㻞Xn +0q)yuSOF 95C/3r°e}ۨ+=hGt?vJow{ѧmE tȳVTcf;i6ӱ$BUU+j*A\EVe.tՓN|2<9:k ,F} d3rT?#ziВ116onQ;-ԃz#AA}I.~(TR=n .fO뻬,J骇\v%(|MU-/^RRIJ>\$ϫ@" bY_BIKwvzkYXxlSOo O O=qԶفy|Syg,da6з0[)-)$Ιd<$J;mmoݍnL M A;&JX<%N>۴ rUCaC_:Z/0i0pDa?) W_M7⎍zkQ$g |o(o&򽡎xk5) kNW&/6o).w?.i{\nEaQn(^  }"t(u‰KtZ:F,튚yFu2jI `.zş:??z9+ֻMr a.jra7ˡpɵr~j muLv~e8c|o(t ~3G<{l9U]QX+2\8Orj!cu%hs˸m^\(5&h:пLaZLoC,x[/6Ɐ)(S -KOPE!ҟ`$npH:`5? HƋAv4^ haVJ]_@#=Iy=X3hue"ڮb'l<:_0d(΁,3C\aR:qQmk'5c; H}wĊkB{KL@%-rƛ,6|p,uYDd?^%أwgZL>c}V~cIŘAl҉JwܼRSdr̓.K2]q(#ua/(I=XaA΃`636Jj94{Mk1"7jy6RR'rLyntn]i/)2B߬1`!h 6ÁL\q'T^pa(ӈVxrjpp5r7-o!?Bٳ>Se)`@ GA}u~5ݛ 77o9_%ՈKC”h9G{i*BZ\,lH`"҇,T)ZM)F` DDb)2+hJ|ycƆ3]Gx%ߦ<Y4:BQ"`B}ϥ3L:^VTF1l&l&fN2.z"EyMx \Yڔ+K/ΕJ}LqsF@JKb8Y1$GdlS#|7ıY")*2Mu0'O"ݺT3 =;HضLs- =$x˽6FD~4@ljō!E0olXqC~x1&.-19:o($]UzèI"dc D'}"ޏB>_/< \֍n /dOt .\^y9}A tkN5 a M5OO!C /m5⚔Zڮ\ Q(,3as;5fhX"`a&тْ*'!W= 2 KfRƬG7Kƈ&EO3"F*^Ȭƣι#U^1= Ig%]3VM˨Ir+Ylr sh}hXo.o.o.o.ܥU(ۥD-4z`zItUlHST&mH}~b+A4aDtƸhokcӚ_W#_ ! "HjBY7ٗ९fD52FNrl*ӒԞz;4݀²=lKchfU'4Aа>p4dҠ>jEz>u=j¥\/B1xSo=Ci aor]cʆ8F+}}ǖa+@r%؁B@l~@SƌAE:~1upTOg<_[Z_aqH6*6f6;*qhh28p*%繥<t='`' X |OD~d(Bdk ?vaSwM t=~P,QH^.vM$ P@5O ! L?`3>3- [#ے ~[[)ˈ ACtg+j_v4yzzjVƛB ]kaRş /Wzە?)֥)(tSZD/@9֕{[dp3s}9 0Aڔ;6۬7ol;vj}m:㵙v=mVx{7i/`W۰:pXiy0m-mĬө{Ow+eYX -}-?Rg .Z}CtAm Aɼ=Ь%5:&SJD:`ٻ +┉faeL%3_5%H5pDʏDStrM{A sZ<#d(^"6}[,@Ukbw2О5"}C$&Hm(q Lϸjc"X8 7-~+7݃~Oeƌ9x`G3~i=fT⯠œ6fVPhs| ЌBMwȭn z`dDz/xTݦeq’ifSte f0} QCu&߮.[y菩yD#? KI&*F5su}9} jqh!Lz'5aL6P;IU6'a|Qb+@ʑVH5i3k>Gg5̈Gbv ]mz^CJ[7ݘ5S]<_q=%o7ݝUxfU'j*la0un=Ԙ̱h 7p :RrKq }lkTp*Bק6:F \ifӠZZGZI)JȋP^CswU/oؕ՚Tھ fOPfCё wIkF4֘OƯsP}"Z{2ֱ:semTd0o='Mp kHу%S@:}RC!%.aGV$(؛ Av1Q8Qr|{\׻5NaQtĸ/ČE˯0K{YMF^]C5XtDOINWD]%Ar9͌tg::~1~": $;Ni ͬͱ-j5%Fd]F-Rd3sK9Fa8TJ o J}J0$7ZmU!7TP cUh%%MF(hdtiguL!1E \TЍ~Uewޠ~z*ޟOg~fn*(5 .U@ī8AnKer6 1|L`DWY>8E) :ᛒWZ-]Fd>^hTJӑu `|$zB̥7b{@q 81q,-D|E|z['AU}>l1Hhb#H0Xth߶?#?4;}ۻhzxX2+2kJ9ܟv\@SgUL3x7 REnjMJlI=R+Y"K̯"2&.V!̆\oX|J71>B$!i"pwF}UO9PJƈ\尟aHp=S-g0ȘhD MQ VHxLirtvnOKZ&9a k(E$0II!5Q"f5,ǰglFLNHӹ@=۹fbWoH$P`+wdcF>b|99H"0XJ.JeEt037  c!Lz)%n67p>9oe!,a4`y.LYef xpƧX<>we~t:&Z!f5KfltQQ({b8+M u?؃3,ȏݭWHmݜ(81I)t#K/Hzs\ &H@PbJM*IdR|:PJ|+R0cU-(_cPw^7+Dz+YT( I+;}^)^nGL€،\ݹ1D9ސ&9iIqstq{g}RGݪ;֧Us/4N-fbv>4m^+LJrY:2 W6Sfr3\h^EqɃw]d;飱8/fsԝ(/E_VCĸҫSi0L57[vS+t?gg:^X9q.xUЦouR*'M&7bS׾hI]hD&5+ۼv)))'MfNyʻ9-AS~'O>99X_~)4;;B)urUN9{ϽOPi}ȁS%%̡̃%2>e9y yß(W9_}9P~S(GN%_^U\]_O7GtAts5u\9O{99k}9?~sC[(+[h6[Ku3Ay3GΚ׸pz~;}sS^.4s\}~)PW9P* ~2:ΕR+@^W~ KJ+ťfW*7yKxM}%k{[Z1iu}חG{1*,xW&2 )htVydS˼=>w懴Ixմ] &J2˯-cENZ9.~QFxdB$dZc+mFDt9|,y|8SNt7<17 }^1 B8 vt{zUtKn \ x; %> #r75ioŭxg?9/ydֺWWVF+p'k͠~%k"N^]xZLܸrpoQ^"#"5 | }Vj?f>pbOCvHy1nCg6'[u}Mz`MTV)pF;F,RK|c ,~(hعvЍ 5z$_ YW+8\xѴ;cv_@7ma IPkھZjZV G'7Hdr{)0#&4vX%PPeh[2pVS' yV8o[#D+)x>[xycE}_DmBrh0ly Nd`?$L,"(vY\IdblO]CgCVyx; Vhc 61dѮ51|gu¿BJ89tgj[L,iރz_M {z<8JN),#[ P`t{^=F.u/\șP=wvp.t zCcjd1Sk +cP<Ս-8ۈqef~wE۰Uwon*{O{ CqzvwʱDi`]ݎ;3䷱'/Հm'[_۲ìΤKad .d⟒GN*Sa⾋ėCO]WvBaIg >KcJ]wxP\dKEWn' Yg@@O ^BO֢#0umcOio@d!X3W]dA_d|bOhXU7M&2}ס)e4t%_ ;쭨F|m)۹f,ӧ6&GsMz=n~Pւ!نIrf[W1^{#E3dƨ4{5J(KESXnՂ]#rF331#qyU YT8V"?5zKJ%:*نx ]*Hvx0DEqb<#U:.~i\*$CbiG$]' "#_SahlypI>0)n9sD:9Am'{;*lٹK˜2J1Д8ٶ2#OA#r ԏ͛e[ O"C24a (fzc<znG}L4צJu #A]?_vs[>/৲`{v͆LVe؋$| _[0~YrJ~S.u 7tle @J] mE73B*}X^c 0У,*059G5EE6<]܈xݾØ gkOUxXURM)X7lRTFM¶":qpxm;}k{.*l+k[ȅnTLxI;s__@>{zw1G[0rcz7Y=׭ ɴ{%̅2 !IZxyU~ҥN.I,'aaQd+$*)ؐ k`LbV@P1,sTf7}OaN*)Asa#Dl [Ap^7׮msS<"Y<.'7gO|9-0$a1 +=c-hw͙!׆!0ו2EM1F(ͦ,1f=L.@| փ X{څGSE6:|,%ݐbVS"N$J i-9ON*dهl&~&TH,فl{[ЃTntLK-8q >/F"FԂ'g"eW~)IDy)/̀/(8ʓ}E.kqeQ*g T.7.Kwc~; <^e!$oꎾV;v@;Ju~iG a ѸTǓ߶;g'݋M mݸ͓nZRTFYS$DM zVsuC&ȕ/g5F#-<#DYf]*Z5Nj|܊#iQg8&rYOZi{mw9n~뉘h6JM? ۔̡9MR"Zi/!zR<>էr09g֊V&|&Z2c N_ loEC!)