It just amazes me how much popular news sources like to totally twist situations simply to make reality more interesting. The most recent case is with the recent vulnerability found in the Firefox extension, Greasemonkey. This extension allows you to set up special site-specific scripts that allow you to customize any website on the Internet to your liking. A vulernability in Greasemonkey was recently discovered, which could grant a malicious website significant access to your local filesystem. That's certainly a very bad thing, and fair grounds to recommend that all users disable their Greasemonkey extension.

But I've now seen several news sources argue that this vulnerability implies that Firefox isn't safe. Hold on a minute! You're essentially talking about two different applications here! It isn't as if Greasemonkey can be installed without deliberate user interaction. Greasemonkey is, for all intents and purposes, a program in and of itself that you simply need Firefox in order to install. It has about as much of a connection with Firefox (in terms of Firefox's security) as any software you would ever download and install with a web browser. Yes, Firefox allows you to install plugins that could potentially compromise your security. But that's the very nature of anything that has access to anything that can be installed!

Bottom line: the fact that you are able to install malicious plugins does not mean anything as far as Firefox's security. The difference between this and ActiveX in Internet Explorer is that Firefox always requires user confirmation before installing anything. Internet Explorer is regularly expoited to install things without any user interaction at all — you simply need to visit the malicious website. Anyone who thinks these two situations are even comparable is either out of his/her mind or hasn't researched this enough.

Amazing, Mastertech is not using this as an argument in his "debate" that Firefoxes extensions are more secure than ActiveX! What a fool.

Cheers,

Ryan Jones

Yes he is. In Firefox Myths 1.0.3, he says, "Firefox Extensions can be very unsafe. A vulnerability in older versions of the Greasemonkey Extension can be exploited by malicious people to disclose sensitive information." This is completely true, although I've never heard anyone claim that so-called myth. Extensions are certainly more secure than the present implementation of ActiveX in Internet Explorer (which is getting an overhaul in IE7), but Mozilla has never pretended that Firefox extensions are perfectly safe. They are, of course, always working to improve the security of the system. Firefox 1.5 already has in place some of the security measures that are being added to IE7, and Firefox 2.0 will probably be even further ahead of the game.