Once-Flawed Firefox Extension Fixed

The popular Firefox extension Greasemonkey has been re-released in a beta version that fixes the severe bug which earlier forced its developer to recommend that everyone uninstall the Web site-changing tool.

Two weeks ago, Aaron Boodman, Greasemonkey's creator, said that a flaw would let a malicious Web site read any local file on a Greasemonkey user's machine, or view the contents of all local drive directories. The vulnerability was so serious, added Boodman, that he advised users to either remove Greasemonkey or install a crippled version.

Beta 0.5 of the extension addresses the security problems. "Several important classes of attacks have been completely disabled and others have been made more difficult," Boodman wrote on his blog last weekend. "For now, I believe that there are no known major security issues with Greasemonkey 0.5 and that it is safe to use."

Greasemonkey lets Firefox browser users change parts of a Web site with small bits of JavaScript. Hundreds of scripts exist, and range from those that eliminate all Flash objects to others which show Amazon.com's prices in the user's local currency.

Although the normal route to Greasemonkey 0.5 -- the Mozilla Foundation's developer site -- is unavailable, the beta can be downloaded. The mozdev.org site has been offline since Tuesday morning EDT due to a broken water pipe and subsequent flooding at the Web hosting facility Mozilla uses. The site was still down as of noon Wednesday EDT.