[Web4lib] Greasemonkey exploit : uninstall or upgrade to 0.3.5
immediately.
Jeremy Dunck
jdunck at gmail.com
Thu Jul 21 12:27:16 EDT 2005
Somewhat off-topic, but I know some folks on this list are using
Greasemonkey to do OPAC hacks and such.
Greasemonkey has a severe exploit. We feel terrible about this.
Status/apology here:
http://greaseblog.blogspot.com/2005/07/mandatory-greasemonkey-update.html
There's a decent writeup of the issue here:
http://simon.incutio.com/archive/2005/07/20/vulnerability
Short version: any site upon which a script is injected can get the
contents of your local hard drive.
0.3.5 is a neutered version which removes all the GM_* API functions,
which breaks any script using those, but is also safe.
Download here:
https://addons.mozilla.org/extensions/moreinfo.php?application=firefox&id=748
Any official 0.4 release will fix these exploits while keeping
compatibility as much as possible. We're still working on that.
Mark Pilgrim has written a script which can be used to warn any end
users that they are using an insecure version:
http://diveintogreasemonkey.org/download/gmdetect.js
"
If it detects leaking APIs, it displays a warning message telling the
visitor that the version of Greasemonkey they are using has critical
security flaws, and points them to the Greasemonkey home page for
download, or the specific mailing list message that gives details on
the vulnerability. Has no ill effects in IE, Opera, Safari, Firefox
without Greasemonkey, or Firefox with GM 0.35.
...
Open source, MIT-licensed. Just drop it into any page, no
initialization required.
"
There are no known exploits in the wild, but that doesn't mean there
not out there.
Again, sincere apologies for this trouble.
-Jeremy Dunck
More information about the Web4lib
mailing list