Warning for GreaseMonkey 0.4 users
I’ve had a few past posts introducing the magic Firefox extension GreaseMonkey. It was recently brought to my attention that the latest GreaseMonkey releases 0.4 contains a fairly serious security hole. I’ll try and keep the technical stuff out and explain in plain English.
If you’re using GreaseMonkey 0.4, downgrade to 0.3.3. Within the latest milestone release is an httprequest which malicious sites could use to their advantage. Essentially, visiting a malicious site while running GreaseMonkey GM 0.4 would allow the server to “GET” a directory of your current computer files. What does this mean? It means that your important documents / files could be available to other users online. Before you OSX users start gloating, the vulnerability exists for you as well.
Update: According to the GreaseBlog, it is highly recommended that GreaseMonkey users install GreaseMonkey 0.3.5 or disable the extension all together. It’s a “neutered” version which lacks the more advanced GM API’s.
Sorry, Comments are Closed.