July 20, 2005 12:05 PM PDT
Firefox add-on Greasemonkey slips up
- Related Stories
Firefox marketing site hackedJuly 15, 2005
Spoofing flaw resurfaces in Mozilla browsersJune 6, 2005
Mozilla releases Firefox security updateMay 12, 2005
Firefox add-on lets surfers tweak sites, but is it safe?March 23, 2005
Greasemonkey is a popular add-on used to customize the design and behavior of Web pages. The flaw could let attackers read any file on a user's local hard drive and list the contents of local directories. The update, Greasemonkey 0.3.5, was released Monday, according to the download page on the Mozilla Foundation's Web site. The Mozilla Foundation coordinates Firefox development and marketing.
The flaw affects versions of Greasemonkey prior to 0.3.5, including early 0.4 alphas, according to a posting on Mozdev.org, a site where developers post applications and add-ons.
People who switch to version 0.3.5, however, will find it lacks the so-called GM* APIs, which are designed to make Greasemonkey more powerful than HTML, according to Greaseblog, a blog devoted to the extension. As a result, scripts that rely on these APIs will fail with the 0.3.5 version. "Greasemonkey 0.3.5 is a 'neutered' version of Greasemonkey," said a developer in a post to the blog.
Still, according to the same post, people should only use 0.3.5 at this point.
"I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely," wrote the developer, who is currently working on a fix.
No reports of the flaw being exploited have surfaced, according to his post.
Several security flaws have been discovered in Firefox recently, and the Mozilla Foundation released a security update for the browser earlier this month.
Additionally, a promotional site for the Firefox browser was hacked last week. The attack on SpreadFirefox.com was an embarrassment to the Mozilla Foundation, which uses security as a main selling point for the browser.
11 commentsJoin the conversation! Add your comment