The developer of Greasemonkey is making an update for a critical security flaw in his extension to the Firefox browser available via the Mozilla Web site.
Greasemonkey is a popular add-on used to customise the design and behaviour of Web pages. The flaw could let attackers read any file on a user's local hard drive and list the contents of local directories. The update, Greasemonkey 0.3.5, was released Monday, according to the download page on the Mozilla Foundation's Web site. The Mozilla Foundation coordinates Firefox development and marketing.
The flaw affects versions of Greasemonkey prior to 0.3.5, including early 0.4 alphas, according to a posting on Mozdev.org, a site where developers post applications and add-ons.
People who switch to version 0.3.5, however, will find it lacks the so-called GM* APIs, which are designed to make Greasemonkey more powerful than HTML, according to a Greaseblog posting, a blog devoted to the extension. As a result, scripts that rely on these APIs will fail with the 0.3.5 version. "Greasemonkey 0.3.5 is a 'neutered' version of Greasemonkey," said a developer in a post to the blog.
Still, according to the same post, people should only use 0.3.5 at this point.
"I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely," wrote the developer, who is currently working on a fix.
No reports of the flaw being exploited have surfaced, according to his post.
Several security flaws have been discovered in Firefox recently, and the Mozilla Foundation released a security update for the browser earlier this month.
Additionally, a promotional site for the Firefox browser was hacked last week. The attack on SpreadFirefox.com was an embarrassment to the Mozilla Foundation, which uses security as a main selling point for the browser.
Talkback
Oh well, it looks like it's begun in earnest...
I don't claim to be a preacher of Internet Explorer, but then I've always said that its numerous security issues have not all been down to poor coding, but down to its popularity.
Now firefox is beginning to make a dent in IE's market share (which will no doubt be helped by lack of 2000 support in IE7), it is becoming more of a worthwhile target to exploit-finders, as well as coming under increasing levels of security scrutiny. The results of this are a new flaw found seemingly every few days.
Not criticism, not preaching, just unfortunately a fact of life. The more popular you become, the more people will target you.
Saying this is a Firefox "slip up" is at best misleading, and at worst outright FUD.
Extensions are *not* part of the browser and are the responsibility of the developer, *not* the Mozilla foundation.
Is it too much to hope that elemntary facts like these are checked before throwing mud?
I am not sure that this flaw was discovered by the fact that somebody exploited it. My understanding is that it was discovered by vigilant members of the open source community. In that case, the comment by the first poster about "attacks beginning in earnest" is not true. Flaws in os products are found much quicker and patched than those in closed source.
What kind of double-speak is this?
"The attack on SpreadFirefox.com was an embarrassment to the Mozilla Foundation, which uses security as a main selling point for the browser."
It was an attack on the server which hosts the site for promoting the browser. Nothing in the browser was used / could be used to access the internals of the site server.
It has not a thing to do with security of the Firefox / Mozilla browser, not a single relationship can be found that might suggest, as you have, that Firefox / Mozilla browser security has been compromised again. so why did you follow that path at the end of that sentence?
Please don't write FUD and hope to get away with it when with a little more research the article you're writing can be much more effective and focussed. You can do better.