Firefox Greasemonkey Extension Security Problem 443
Mr2001 writes "A recent thread on the Greasemonkey mailing list suggests that the popular Firefox extension is fatally insecure. It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest. Time to uninstall GM?"
It's about time (Score:4, Funny)
http://www.dreamsyssoft.com [dreamsyssoft.com]
Re:It's about time (Score:4, Insightful)
Re:It's about time (Score:5, Informative)
IIS 6 Exploits [secunia.com]
Apache 2.0x. [secunia.com]
Please do some basic research before making comments on security.
Re:It's about time (Score:3, Interesting)
Have you looked at the apache security vulnerabilities? There was only one in 2005, and here is the link to the cve:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN - 2004-1387 [mitre.org]
It's not even about apache, it's about a third party apache-utils. That package isn't even part of my distro. i have no such script called check_forensics.
The only other unpatched issue with apache is th
Re:It's about time (Score:5, Informative)
OK, stop with the pure FUD. Using the Secunia link you provided, it shows that IIS5 has one unpatched vulnerability, which is rated Not Critical, which is the lowest rating possible. Not only are the unpatched flaws in Apache more serious, there are also more of them! Please, stop with the BS.
gauntlet (Score:4, Funny)
Quick, lets band together with a magician and a warrior and stomp those bow&arrow shootin mofos before they take over the internet!
Re:gauntlet (Score:5, Funny)
Re:gauntlet (Score:5, Funny)
Re:gauntlet (Score:5, Funny)
GreaseMonkey Problem (Score:2, Funny)
Let's Throw MUD! (Score:2, Insightful)
I'm not saying that FireFox is perfect. Obviously, it's not, and this article is a case in point. It's still the browser I use. For me, this is a warning to fix things or wait for them to stable up (oh yeah -- that mindset shown, I am a Debian user). But just like we use any little IE thing to say "Se
Re:Let's Throw MUD! (Score:5, Insightful)
And the winner of the Slashdot "Who can be the first to blame Microsoft for a bug in FOSS is..."
The problem is not bugs, the problem is that nobody designed their systems to deal with the real security threats presented in the Internet today.
The principle cause of Microsoft's security problems today was their addiction to 'featuritis' in the 1990s. If you think that the open source community does not have the same problem you need to take a serious look at some FOSS programs.
There is nothing that can't be fixed but first people have to realize that FOSS has just as much need to fix them. Everyone in the security community will tell you that making the source code available does not guarantee that your code will be secured. We have enough trouble getting engineers to review their own code.
We need a new approach to writing secure code. Before that can happen a lot of FOSS people need to loose their complacency. Microsoft is not the enemy here, the criminal gangs are the enemy.
Re:GreaseMonkey Problem (Score:5, Funny)
It's Microsoft's fault that people have to install insecure extensions to make web work like it should have worked in the first place.
Re:GreaseMonkey Problem (Score:2)
1000 greasemonkies on a thousand keyboards... (Score:3, Funny)
Re:FF's greatest strength also its greatest weakne (Score:3, Informative)
Re:FF's greatest strength also its greatest weakne (Score:3, Informative)
This is one of the reasons that I avoid FF. It's pretty minimal out of the box.
Pretty minimal? WTF are you smoking? Firefox does everything for me right out of the box that I could ever ask it to do. I have installed it (total time including download less then a minute in most costs) on machines all over the place in lieu of using IE. I never have to download any extensions or plugins for it.
In fact the only plugin that I have installed on FF at home is Macromedia Flash. Other then that it comes wi
More Ammo (Score:5, Insightful)
Marvelous.
Luke
----
Be smart. Teach others. ChristianNerds.com [christiannerds.com]
Re:More Ammo (Score:2)
Re:More Ammo (Score:5, Insightful)
Plus, the solution "uninstall it until we fix it" is pretty decent when it comes to security. Think we'll ever hear "Uninstall IE until we fix it" anytime soon? :o)
Re:More Ammo (Score:5, Insightful)
Re:More Ammo (Score:5, Insightful)
Re:More Ammo (Score:5, Funny)
Re:More Ammo (Score:2)
First, Firefox isn't mainstream, let alone GreaseMonkey.
Second, I am already on windows.
Why Uninstall? (Score:5, Informative)
Why not just do what the article says and "Install Greasemonkey 0.3.5 [atrus.org]"
Comment removed (Score:5, Insightful)
Re:Why Uninstall? (Score:5, Informative)
Re:Why Uninstall? (Score:3, Insightful)
Re:Why Uninstall? (Score:5, Interesting)
I thought that GM was a way for me, the web user, to impose some scripted changes onto pages. I didn't realize it was used by site-designers to do anything HTML (+JavaScript, etc.) didn't allow.
I don't want to give site-designers any more power, so if that's prevented by neutering GM, I'm fine with that.
Re:Why Uninstall? (Score:3, Informative)
Re:Why Uninstall? (Score:4, Informative)
Re:Why Uninstall? (Score:3, Informative)
Well, this is the recommended course of action. However, Greasemonkey 0.3.5 is crippled. It does not contain the special GM_ functions so the majority of scripts will break.
Anything that uses GM_XMLHttpRequest, GM_setValue or GM_getValue or GM_Log will not function. It was the developers attempt to make sure that no remote exploits popped up while they were working on the best possible fix.
So, no. Don't install the update and expect things to function normally, they will not.
Re:Why Uninstall? (Score:4, Interesting)
Re:Why Uninstall? (Score:2, Informative)
That's all I need.
Re:Why Uninstall? (Score:2)
In fact, as far as anybody should be concerned there is no installable update. I'm not about to install some random-ass XPI just because it claims to be a GM "fix".
As much as I like using it, I'm uninstalling. And this gives me the willies about all those semi-random but cool extensio
Re:Why Uninstall? (Score:2)
What should be done. (Score:4, Insightful)
Re:What should be done. (Score:4, Insightful)
Forcing you to intentionally accept extensions is not a big security threat at all.
This is just a bug. Bugs happen. It's been fixed already.
Re:What should be done. (Score:2)
Re:What should be done. (Score:2)
The best solution in my opinion is to have the same context menu as blocked popups. "Install this software" when you click on the banner up the top that says it has stopped the page trying to install an extension on your computer.
Re:What should be done. (Score:5, Insightful)
Re:What should be done. (Score:4, Insightful)
Re:What should be done. (Score:4, Informative)
Microsoft's Anti-Spyware monitors the installation of BHOs. BHOs can easily be blocked or removed: MS Antispyware > Advanced Tools > System Explorers > Internet Explorer > IE BHOs.
Re:What should be done. (Score:2, Interesting)
I have stated it here before:
Just like ActiveX controls proved a hole in IE, FireFox's extensions would eventually prove a hole in the XUL based 3rd party FireFox extensions arena now & this browser itself, & thus, your OS etc. as well via this gateway.
This is/was 1 thing FireFox imo, had on Opera (my 'browsing weapon-of-choice' online because it wins the speed test comparisons between them all in the most areas typically, but also because it is the LEAST attacked browser as we
Exactly! (Score:3, Insightful)
No matter how secure the core Firefox code is, it is all meaningless with the current extensions model. With the current model (or lack of one) a malicious (or plain buggy) extension can turn Firefox into a bigger threat than IE.
From my understanding, Firefox extensions aren't restricted from doing I/O or listening on sockets/etc. What's to prevent somebody from writing a seemingly harmless extension which silently dumps all act
Playing in the sandbox (Score:5, Insightful)
That said, I haven't seen a really good way to manage permissions. It's just not practical for an applet to say, "In order to run this, you need these 47 permissions" and expect you to fix that. With cleverness the modeler could create roles with aggregates of permissions, so that you can say, "This app needs access to your browser UI" (like Tabbrowser).
Still, that's asking the user to make a lot of security judgments based on trust. Some extensions/applets/ActiveX should be allowed to modify your hard disk; most shouldn't. How can the user tell?
It's a hard problem, one that I don't have a good answer to. I know Microsoft's solution (based purely on a yes/no trust decision) sucks. But I'd say the problem isn't the over-restrictiveness of the sandbox, but the difficulty of asking the user to manage his/her sandbox well.
Re:What should be done. (Score:3, Informative)
The firefox guys should have realized that extensions are a HUGE security threat
The Firefox guys did; fortunately this has very little to do with FF extensions! It's an issue with GreaseMonkey User Scripts, which are javascript files run by the Greasemonkey extension. Extensions are OK; certain Greasemonkey user scripts *may* not be.
For anyone who's never heard of GreaseMonkey - DON'T PANIC! It doesn't affect you: nothing to see here, move along, please.
For folk who use GreaseMonkey, continue to exer
Re:What should be done. (Score:2, Insightful)
Hyperbole (Score:3, Insightful)
While some kind of "security" layer sounds nice, I'd like to know what you suggest, specifically. A popup box saying "this site is requesting permission to read file X"? User clicks ok, every time, and they quit looking at it after a while. Then you wrote this:
Fixed? (Score:2, Informative)
Re:Fixed? (Score:2, Informative)
Opera's answer... (Score:3, Informative)
What did they expect? (Score:5, Interesting)
Allowing scripts to open files and send them elsewhere is especially bad, but there was a huge security concern to me either way. I like the concept of GreaseMonkey, but choose not to install it.
Possible solution - NoScript extension is great ! (Score:5, Interesting)
To run a Greasemonkey script on a page you have to allow that domain or subdomain in NoScript. This prevents Greasemonkey being used on a rogue page as I wouldn't use a script on an uber-dodgy site anyway!.
More details on the exploit... (Score:5, Interesting)
Here are some more details from the posting thread, which explains why the exploit is so bad...
This particular exploit is much, much worse than I thought. GM_xmlhttpRequest can successfully "GET" any world-readable file on your local computer.
f ile-leak.html [diveintogreasemonkey.org]
returns the contents of c:\boot.ini, which exists on most modern
Windows systems.
http://diveintogreasemonkey.org/experiments/local
But wait, it gets worse. An attacker doesn't even need to know the exact filename, since "GET"ting a URL like "file:///c:/" will return a parseable directory listing. (And Mac users don't get to gloat either; you're just as vulnerable, starting with a different root URL.)
In other words, running a Greasemonkey script on a site can expose the contents of every file on your local hard drive to that site. Running a Greasemonkey script with "@include *" (which, BTW, is the default if no parameter is specified) can expose the contents of every file on your local hard drive to every site you visit. And, because GM_xmlhttpRequest can use POST as well as GET, an attacker can quietly send this information anywhere in the world.
The above information posted originally by Mark Pilgrim [mozdev.org]
Re:More details on the exploit... (Score:2, Insightful)
bin boot dev etc home initrd lib lost+found man media misc mnt opt proc root sbin selinux srv sys tftpboot tmp usr var
Re:More details on the exploit... (Score:3, Informative)
Greasemonkey 'adds' stuff to Javascript. Any page on the internet can use these additions.
If you have Greasemonkey installed, and Javascript enabled (Greasemonkey is rather pointless without Javascript anyway.), you are at risk.
You can't 'be safe' by only doing certain things, because the flaw is that any page on the internet can call Greasemonkey functions. (Any page that can use Javascript, at least.) It has nothing to do with yo
Here's TFA (Score:3, Informative)
A severe security issue has been discovered in Greasemonkey versions prior to 0.3.5 as well as the early 0.4 alphas which some people may have installed.
Install Greasemonkey 0.3.5 or uninstall Greasemonkey immediately.
More information on Greaseblog.
Greasemonkey is a Firefox extension which lets you to add bits of DHTML ("user scripts") to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction.
For example, you could:
Make sure that all URLs displayed in the browser are clickable links Improve the usability of a site you frequent Route around common and annoying website bugs Use the Coral content network selectively.
Getting started:
Install Greasemonkey 0.3.5. Learn how to use Greasemonkey. Find useful scripts.
Greasemonkey was heavily inspired by Adrian Holovaty's site-specific extension for All Music Guide and the conversation which ensued after he published it. There were tons of sites I wanted to create SSE's for, but fully-fledged firefox extensions proved too cumbersome. I wanted it to be as easy to create an SSE as it is to write DHTML.
The current maintainers are Aaron Boodman and Jeremy Dunck with the invaluable help of an awesome community of user script enthusiasts.
For questions or comments about greasemonkey, please send a message to the greasemonkey mailing list. Copyright © 2000-2005. All rights reserved. Terms of Use & Privacy Policy.
Notice hoe they avoid explaining the problem/solution. They just want you to see these new exciting features, and download it now!
Re:Here's TFA (Score:2)
Our Fault (Score:5, Funny)
We can blame God for all kinds of things like hurricanes and Godzilla but it's a safe bet that we brought THAT scourge upon ourselves.
Re:Our Fault (Score:3, Funny)
Hey, now! We all know perfectly well that Godzilla was a result of the United States dumping radioactives into ocean waters, part of their plan to keep on supressing Japan after the war. After all, if Tokyo hadn't been leveled by Godzilla every 6 months, Japan would have taken its rightful place as ruler of the world!
Is that really a problem? (Score:2)
Re:Is that really a problem? (Score:4, Funny)
Nice try Bill, we know it's you.
Re:Is that really a problem? (Score:2, Funny)
You know, there are also other OSes than windows...
But, but, but (Score:2, Funny)
Re:But, but, but (Score:5, Informative)
ING (Score:4, Insightful)
One of them is bound to notice, eh?
So it works! Sweet!
Sam
Re:But, but, but (Score:2)
The fact that you now know about its insecurity means that the system works.
Though I agree projects like firefox are way too large to get enough people in on it.
Uninstall / Remove (Score:2, Interesting)
Would anyone have that info to post?? Thanx
If I'm not terribly mistaken (Score:2)
Re:Uninstall / Remove (Score:4, Informative)
Go to "tools", go to "Extensions", click on the greasmonkey extension and click "uninstall" or "update".
Re:Uninstall / Remove (Score:2)
Tools -> Extensions
Locate Greasemonkey in the list, highlight it, and click the Uninstall button at the bottom. Accept the alert dialog and restart Firefox.
Rock paper cissors (Score:4, Funny)
no, Time to stop browsing as root! (Score:2, Insightful)
Guess it can't access "all" the files on my system then, can it?
A HELPFUL TRANSACTION. (Score:5, Insightful)
(MOZILLA SOCIETY REPRESENTATIVE) Why, good sir, we shall help you forthwith! We have exactly the web-browser that you need! It has been engineered to the most careful of specifications, and its security is without compare!
(MAN) Why then I shall have one immediately!
(LATER)
(RANDOM STREET URCHIN) Sir, I see that you have this day procured a web-browser, which I see under your arm. May I convince you to also take this complex contraption of my own invention, which will attach to your web-browser as a "plug in"?
(MAN) What, what? An inscrutable device of unclear ultimate function furnished by a stranger of whom I know nothing? Yes, yes, why not. Now run along, lad.
(LATER THAT NIGHT, THE CONTRAPTION PROVIDED BY THE STREET URCHIN EXPLODES, SETTING THE WEB BROWSER AFLAME.)
(MAN) What's this? Oh, mama! The web-browser I have this very day recieved from the Mozilla Society has immolated, consuming my drapes and lighting my house aflame. They told me it was secure! Lies! Betrayal! Those Mozilla Society rapscallions! I'll give them what for!
Re:A HELPFUL TRANSACTION. (Score:3, Insightful)
If we were Microsoft (Score:2, Insightful)
However there is a reason for this attatude.
Bug that makes it possable to run code on remote users box:
Users say "Oh no bug bug. Get rid of it"
Develupers say "Ohh feature feature keep it, expand it"
Security experts say "Bug"
If the develupers provide a strong enough argument the "bug" is classified as a feature and remains.
it's not any file from your disk (Score:2, Interesting)
It seems rogue pages can read any file from your disk and send it to any site, using an XmlHttpRequest.
Only if the browser has all the rights, which is a very dumb thing to do no matter the platform.
On my main Un*x box, Firefox was installed in a normal user account (using the
I'm pretty sure that Firefox/GM installed in a non-privileged
1986 (Score:5, Informative)
Bad idea then. Worse idea now, no matter how much supposed security you surround it with.
Maybe I'm clueless, but... (Score:4, Insightful)
I realize it's likely due to the nature of Firefox's JS interpreter, but if this sort of separation isn't viable could someone enlighten me as to why?
Re:Maybe I'm clueless, but... (Score:5, Interesting)
In the really integrated solution like Opera has (as opposed to an extension like GM is), userscripts have their own security context. The really powerful functions in Opera's userscript are not available to the page author. All functions in GM, including the most powerful, are available to the page author, and Mark Pilgrim just found out this includes unlimited read access to your local file system.
The GM developers are aware that this is a problem, but haven't developed a better way yet to inject the scripts in the page. So the newly secure release 0.3.5 removes the most powerful functions.
So Mozilla is no better than IE? (Score:3, Insightful)
So basically... Mozilla is just as much of an insecure platform as IE, because they allow plug-ins.
Yeah, yeah.. It's Greasemonkey... it's some stupid add-in piece that you have to explicitly install.
But that's also the way most spyware get's on IE. People get prompted "Please download and install this, and make sure you say 'Yes' when prompted is that ok?"
and people do it...
why? Because they are promised free porn, free poker, free music, or a free trip to Nigeria to collect their $10 million.
Welcome to the real world!
If a cold is no better than pneumonia... (Score:5, Interesting)
Not quite.
The big problem with IE is not just that it has a plug-in mechanism, but it has a plug-in mechanism that's based on the HTML control (the actual browser component) assigning the right to install plugins to an object (the web page) based on an ad-hoc security model that's based on the location the object is believed to originate. Certificates, security dialogs, and so on... these are layered on top of this, but basically the HTML control is responsible for figuring out if a "dangerous" action should be allowed with no more than hints from the calling applications, and a jargon-filled dialog box that the user has to decide on RIGHT AWAY.
I get calls from my users all the time that are variants on "this dialog box came up and I hit 'yes' without thinking".
So... the control is pervasive, it's used by lots of applications, the API can't be significantly changed without creating a mass upgrade day for every app that uses it, responsibility is placed in the wrong place, and the user interaction encourages mistakes.
Firefox's extension mechanism has a similar problem with its installer, but:
The extension installation mechanism is part of Firefox, not the Gecko HTML display object, so applications using gecko aren't automatically exposed as well.
The Firefox extension API does not depend on the installer's behaviour, it's possible for Firefox to switch to a more secure download-and-install design without breaking any applications.
The user interaction requires three separate steps, and there's no path through those steps that simply answering "yes" by reflex will result in the extension being installed.
In addition, in Windows, there have been a number of attacks that involved tricking the HTML control into thinking that a remotely downloaded object was local... or even already installed. This approach is not possible in Firefox because instead of allowing plugins to run from anywhere except the places it thinks are dangerous, it doesn't allow plugins to run from anywhere except a specific directory that's got a randomly generated name in its path so it can't be targeted by a download.
I would still recommend using a shell other than Firefox around a Gecko- or KHTML- based browser. I use Camino (Gecko) and Safari (KHTML) on Mac OS X, but I'm sure there are equivalents to these for Windows. But regardless, the exposure from using Firefox is so far less than using IE that if Firefox and IE are your only choices... use Firefox.
I do not recommend using the Netscape browser, because of the way it allows the use of either Gecko or the Microsoft HTML control.
Re:Windows Feature? (Score:4, Informative)
Re:The next messge in the thread is worrisome (Score:2, Informative)
Re:The next messge in the thread is worrisome (Score:2)
There's a proper way to handle exploits. Disabling a piece of software under the guise of an "update" wasn't the way to do it.
Re:The next messge in the thread is worrisome (Score:2)
Re:The next messge in the thread is worrisome (Score:2)
Even if you give an extention a new major version number it is still an "update" as far as Firefox is concerened. There isn't any way of calling it anything else.
As for trust, if they didn't plug a sersious vulnerability I think they would lose more.
Does 3.5 "totally cripple" GM? The article and this thread haven't been very clear.
Um, you don't actually use Firefox do you? (Score:4, Informative)
You mean like in Firefox, where when updates are available all the auto-update feature does is display a little "updates available" icon in a browser window, then offer to install the updates when you click the icon?
Re:Um, you don't actually use Firefox do you? (Score:2, Flamebait)
You make 2 assumptions, both wrong:
Calling it an update, when in actual fact its not, is not the way to engender trust among us
You're being silly. (Score:3, Insightful)
Calling it an update, when in actual fact its not
I assure you, every user in the world who is not insane considers "removes a vulnerability that potentially allows any website to read your hard drive" an "update".
I also assure you that if you want to engender trust among your users, removing as immediately as possible bits that would allow any website to read your hard drive is the way to do it.
If upgrades that incidentally break features are illegal, then every single software company in the worl
Re:The next messge in the thread is worrisome (Score:2)
Intentionally causing damage is illegal, turning something off becuase it is a big security hole? I don't think that fits cleanly under "intentionally causing damage".
You can make an argument for it being "damage", but it doesn't seem nearly as cut and dried as you make it out when you say "this is illegal".
Re:The next messge in the thread is worrisome (Score:4, Insightful)
Gator and Weatherbug are not illegal, sadly - the EULA as justification for inclusion has been upheld. The user is in fact getting a bug fix - the bug that allowed for a major security breach is being removed. You may not like that bug fix, but sucks to be you. GM is not disabled by this update and many scripts will continue to run. Insecure scripts will not.
Re:The next messge in the thread is worrisome (Score:2)
When you have a problem, its best to be as open and aboveboard as possible. Tylenol was a good example of this when that guy started putting poison in their pills. More recently, ditto Wendys and the finger.
What they're doing (posting crippleware as an "update") is more like giving everyone the finger.
Re:Problems everywhere (Score:2)
The good thing, of course, is that malware tailored to a specific exploit takes time to craft and widely deploy, so very rapid patching can act as a deterrent (re
Re:hold on a sec (Score:2)
Re:Isn't it the same? (Score:2, Insightful)
You choose whether or not to install a plugin.
Firefox, without any extensions, is probably hundreds of times safer then IE. Comparing Firefox with a bad plugin installed to IE, which is full of holes out of the box, is like comparing a Ferrari with a flat tire to a old junker and saying the junker is better.
Re:Isn't it the same? (Score:5, Insightful)
Perhaps there is some credibility to the arguement that once usage of a software package becomes widespread enough, there will be people who find ways to use it to their (malicious) advantage, regardless of the built in security features.
The Firefox XPI model needs re-evaluation... (Score:4, Insightful)
I've been arguing that the Firefox XPI model needs to be re-evaluated from a security standpoint for some time now.
1. Installing XPIs should not be initiated from a web page. They should be downloaded and manually installed, like any other application or application plug-in. This would allow any attacks that involve using the installer for privilege escalation to be eliminated.
2. Expanded rights should not be granted to any javascript that has not been explicitly installed.
3. As a corollary to this, any method that leads to an eval should, when run from a script that's part of chrome, unconditionally revoke those rights. A new method that explicitly evals code with greater rights with a name that makes it clear that it's dangerous can be added if it's actually necessary.
Re:The Firefox XPI model needs re-evaluation... (Score:3, Interesting)
Yes, but by no means as great a degree as you seem to think.
I would like to address your first point. Where you stated that XPIs should not be initiated from a web page.
That's correct.
Which the point of this is to allow a cross platform installer.
It's not necessary to allow XPI to be installed by a remote web site to allow a cross-p