July 20, 2005 12:05 PM PDT

Firefox add-on Greasemonkey slips up

The Mozilla Foundation is making available an update for a critical security flaw in Greasemonkey, an extension to the Firefox browser.

Greasemonkey is a popular add-on used to customize the design and behavior of Web pages. The flaw could let attackers read any file on a user's local hard drive and list the contents of local directories. The update, Greasemonkey 0.3.5, was released Monday, according to the download page on the Mozilla Foundation's Web site. The Mozilla Foundation coordinates Firefox development and marketing.

The flaw affects versions of Greasemonkey prior to 0.3.5, including early 0.4 alphas, according to a posting on Mozdev.org, a site where developers post applications and add-ons.

People who switch to version 0.3.5, however, will find it lacks the so-called GM* APIs, which are designed to make Greasemonkey more powerful than HTML, according to Greaseblog, a blog devoted to the extension. As a result, scripts that rely on these APIs will fail with the 0.3.5 version. "Greasemonkey 0.3.5 is a 'neutered' version of Greasemonkey," said a developer in a post to the blog.

Still, according to the same post, people should only use 0.3.5 at this point.

"I strongly recommend that everyone either install Greasemonkey 0.3.5, or else disable or uninstall Greasemonkey completely," wrote the developer, who is currently working on a fix.

No reports of the flaw being exploited have surfaced, according to his post.

Several security flaws have been discovered in Firefox recently, and the Mozilla Foundation released a security update for the browser earlier this month.

Additionally, a promotional site for the Firefox browser was hacked last week. The attack on SpreadFirefox.com was an embarrassment to the Mozilla Foundation, which uses security as a main selling point for the browser.

11 comments

Join the conversation!
Add your comment
Oh crap
Here we go again....
Posted by (18 comments )
Reply Link Flag
MF doesn't make Greasemonkey
"The Mozilla Foundation is making available an update for a critical security flaw in Greasemonkey, an extension to the Firefox browser. "

Th Mozilla Foundation merely hosts the site that all these extensions can be s easily found on. Thy do not make nor release the extensions.
Posted by (9 comments )
Reply Link Flag
point being?
I don't see anywhere in the article where they imply that Mozilla makes or releases those extensions.

A flaw in an extension was found and fixed and the Mozilla team is serving a fixed version of that extension for their customers. As simple as that.
Posted by nrlz (98 comments )
Link Flag
CNet reduced to reporting flaws in freeware utilities
Yawn.
Posted by M C (598 comments )
Reply Link Flag
making available
"The Mozilla Foundation is making available an update for a critical security flaw in Greasemonkey, an extension to the Firefox browser. "

"making available"
Posted by (9 comments )
Reply Link Flag
let us see here
one week 3 updates to mozilla firefox
plus their marketing site gets hacked because they don't apply "UPDATES"
all this with less than 10% market share

& we are suppose to belive FF is much secure
Posted by Aditya Ratnaparkhi (14 comments )
Reply Link Flag
well
well, you can go shout "HOORAY! THANK GOD I USE IE!" right before ANOTHER critical update is released which was exploited on your computer at least 5X already. yeah, go on have your fun. the fox may have flaws but at least they get patched. and usually before they get exploited. MS WAIT for a hole to be exploited before they BEGIN making a patch.
Posted by Scott W (419 comments )
Link Flag
LOL
They have about 7% now with a half % added each month and 1.0 has only been out since Nov....

The avg user has never heard of GM....
Posted by saleen351 (36 comments )
Link Flag
A clarification
2 updates to firefox in 1 week, not 3. 1.0.5 was a security update, and 1.0.6 fixed a non-security issue introduced in 1.0.5.

Also, the marketing site breach had nothing to do with the security of the Firefox browser.
Posted by cupsdell (12 comments )
Link Flag
SpreadFirefox is not Firefox the browser
The article specifically states "in the software that runs SpreadFirefox.com" which is not Firefox. Methinks there some IE-lickers here.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.