You are here: Known Vulnerabilities in Mozilla Products (Firefox 220.127.116.11) > MFSA 2006-31
Mozilla Foundation Security Advisory 2006-31
Title: EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)
Date: June 1, 2006
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 18.104.22.168
In Mozilla clients the primary use for EvalInSandbox is to run the Proxy Autoconfig script should one be specified by your network administrator. This is a rare option for home users, it is primarily used by institutional networks which have a need for remote configuration.
The popular Greasemonkey extension uses EvalInSandbox to run userscripts which manipulate the web pages you visit on your behalf. Using this vulnerability a malicious userscript could gain enough privilege to install malware, but even when Greasemonkey is working as designed a malicious userscript can make life miserable. Only install userscripts from sources you can trust.
On the Connection Settings preferences select either "Direct connection to the Internet" (the default) or "Manual proxy configuration."
If you use Greasemonkey user only install userscripts from trusted sources and inspect them for occurrances of valueOf(). Or simply disable Greasemonkey until you can upgrade to a newer version.