Greasemonkey Gets Security Makeover

A new beta of the popular Firefox browser extension fixes a potentially dangerous security vulnerability.

A new beta of the popular Greasemonkey browser extension has been released to fix a well-known—and potentially dangerous—security vulnerability.

The security upgrade comes less than two weeks after the discovery of the flaw which prompted a major uninstall warning because of the risk of file hijack attacks.

The flaw is so serious that developers have warned users to completely uninstall Greasemonkey versions prior to 0.3.5.

Greasemonkey is a Firefox add-on that lets users load custom scripts to modify Web sites on the fly.

According to Aaron Boodman, one of the maintainers of the project, the Greasemonkey 0.5 patch "completely disabled" several important classes of attacks.

In Greasemonkey 0.3.4, it was possible for JavaScript on Web pages to use DOM mutation events to get references to the special GM API functions. This could be exploited by a malicious hacker to gain access to the contents of every file on an affected users local hard drive.

"This has been fixed by moving user script execution away from content completely," Boodman said in a notice on the Greaseblog support site.

/zimages/6/28571.gifClick here to read more about a critical Greasemonkey flaw.

With the fix, Greasemonkey will now execute user scripts in a separate object—a "sandbox"—which is not part of the content window. "That means that content scripts cannot access it, and thus, cannot employ any of the tricks above to get access to the special GM APIs," Boodman added.

In earlier versions, it was also possible to block Greasemonkey itself by redefining certain content DOM methods that it used to inject scripts. "This has been fixed in [Greasemonkey] 0.5 by only ever accessing content via the special XPCNativeWrapper objects provided by Firefox for this purpose," he explained.

Another security issue with the "GM_xmlhttpRequest" feature has also been fixed to block that request from accessing the "file://" protocol to read local files.

Even with the patched version, Boodman made a point to warn that "no software is ever perfectly secure."

"Greasemonkeys entire point of existence is to mash code from two different trust domains into the same space, so it has been particularly tricky. This will be an ongoing fight. But for now, I believe that there are no known major security issues with Greasemonkey 0.5 and that it is safe to use," he added.

In addition to the security fixes, Boodman said the new beta includes several new features and bug fixes.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.