It's probably old news by now.. but Greasemonkey has serious, potentially fatal security flaws. The dev blog entry is here.
Having said that though, it's still possible (although not recommended, certainly) to use the old Greasemonkey safely. If a script isn't injected into a page, it can't be exploited. So, making sure scripts only execute on explicitly added pages (instead of using wildcarded includes) is one option.
Another, more obvious option is to install the update. And live without the fancy gm_ namespaced functions for a while.
Unless the specific sites that I use Greasemonkey for are compromised, I think I'm fairly safe. Famous last words? Maybe
Re:NoScript
jdavidb on 2005-07-20T13:40:55
I use it, and it's a good thing, except for the infrequent times when NoScript crashes Firefox. I hope those will go away in a future update.
Re:NoScript
tinman on 2005-07-26T09:37:54
NoScript is actually pretty nifty
:) I installed it once the fuss about GM security broke. The whitelisting was a bit tedious, but it seems to work. I think the problem that was raised on the GM list was that it just allows (or disallows) Javascript. Malicious Javascript could be inserted into a page via some hackery and it would be allowed. This, at least, was the theory and so people were recommended not to use Noscript to cover up GM security flaws
:)
