Pale Moon 25 Released

SouthPark · Jul 28, 2015

RJK3 said: ↑

The latest version of Pale Moon (25.6.0) has an optional feature for interfering with canvas fingerprinting. It needs to be manually enabled via about:config, see here:
http://www.palemoon.org/releasenotes.shtml

One can easily test it working here:
https://www.browserleaks.com/canvas
Click to expand...

Thanks for the info!

Dermot7 · Aug 4, 2015

Users of the Pale Moon web browser who try to install the popular adblocking extension Adblock Plus won't be able to do so anymore as it was added to the blocklist by the Pale Moon team.

Pale Moon users who have it installed may have noticed that it is no longer enabled either.
Click to expand...

http://www.ghacks.net/2015/08/04/pale-moon-blocks-adblock-plus/
Pale Moon forum • View topic - Adblock Plus blocked.

LimboSlam · Aug 4, 2015

WARNING: there is a bit of a flame war going on, so please prepare yourself for some fireballs!

Just read some of the commits and it really ticked me off!

Dermot7 · Aug 6, 2015

A first (public) beta of Pale Moon 26.0 with the new Goanna back-end is now available!

Please read the information about using this beta on the website before you try to use it.
Information and downloads: http://www.palemoon.org/WIP/
Click to expand...

Pale Moon forum • View topic - Pale Moon 26 (Goanna) beta1 published!

wolfrun · Aug 7, 2015

If it will support uBlock Origin then I am game to try it.
EDIT: Have installed Palemoon Goanna beta 26.0 and so far running well in Sandboxie although I had to revert back to sandboxie 5.01.3 because of flash and plugin container crashing while in Sandboxie 5.01.6. Also no problem with uBlock origin running in PM Goanna.

Dermot7 · Aug 26, 2015

25.7.0 (2015-08-26)
This is a bugfix and maintenance release.

Fixes/changes:

Code cleanup: Removed the (otherwise unused) visual event tracer code.

Code cleanup: Removed reflow performance tracing code (telemetry).

Fixed a key JavaScript bug where defining properties on an object would wipe the object.
This seems to be a common issue with "modern" libraries that use "define" instead of "change" and expecting the other properties on the object to be retained, resulting in "x is undefined" errors all over the place if the object is wiped.
This aligns the behavior with ES6's "Validate and apply property descriptor" pseudo-function.

Updated the SQLite library to 3.8.11.1.

Added support for the element.matches() Web API function.

Added support for BASE tag parsing in source view. Previously, when viewing the source of a document, clickable links would be incorrect if a base path was specified in the document with this tag.

Fixed an issue with running timers after the computer would have been put to sleep with the browser opened.

Security fixes:

Added protection against potential bugs where our SVG mPositions is out of sync with the characters in the DOM. DiD

Fixed use-after-free vulnerability in XMLHttpRequest::Open() (CVE-2015-4492)

Fixed use-after-free vulnerability in the StyleAnimationValue class (CVE-2015-448

Fixed crash or memory corruption in nsTArray (CVE-2015-4489)

Fixed crash or memory corruption in nsTSubstring::ReplacePrep (CVE-2015-4487)

Fixed potential escalation of privileges or crash (out-of-bounds write) via a crafted name in MARs (x64 only) (CVE-2015-4482)

Fixed an issue that would allow man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
Click to expand...

https://www.palemoon.org/releasenotes.shtml

wolfrun · Aug 27, 2015

Out of Palemoon Goanna for now and updated back into Palemoon 25.7. Will go back into Goanna when there is a stable release.

LimboSlam · Sep 1, 2015

Beta 2 is out of the Goanna engine, please visit here to get a copy: http://www.palemoon.org/WIP/. And to report any issues, please do it here: https://forum.palemoon.org/viewtopic.php?f=5&t=9360. Thanks!

wolfrun · Sep 1, 2015

Re Goanna - Have it installed and testing it out as we speak.

cnople · Sep 26, 2015

I've installed Palemoon as a newbie to this browser, and I'm liking it so far (Firefox would freeze and 'not responding' all the time). I may be a convert.

I'm unsure however as to the security aspects of this browser, does it have all the latest security updates as per the latest Firefox version? Or are they 2 different beasts? I like to be secure.

Dermot7 · Sep 26, 2015

cnople said: ↑

I'm unsure however as to the security aspects of this browser, does it have all the latest security updates as per the latest Firefox version? Or are they 2 different beasts? I like to be secure.
Click to expand...

Hello @cnople, hope this may help to answer your questions:
https://www.palemoon.org/faq.shtml#Is_Pale_Moon_safe_to_use

Pale Moon is based on the Mozilla release source code that has a large community of developers and security-aware people, next to having seen over a decade of development by now. In addition, the Pale Moon team checks and verifies any reports of issues that might impact your safety on the web. It includes, among other things, protection against dangerous add-ons, automatic checking for updates of add-ons, password protection (master password), website-identity information in the address bar, and private browsing.
Pale Moon's development includes a critical evaluation of potential security risks which are addressed in each new release, with on occasion a point-release for critical issues that is released as soon as possible after the security issue comes to light.
Click to expand...

https://www.palemoon.org/technical.shtml#Firefox_Differences

The differences are increasingly significant as time passes. Pale Moon will remain close to Firefox in many parts of the code to ensure compatibility with as many add-ons as possible, but should be considered a "fork" and a totally independent product.
Click to expand...

Addressing any security concerns promptly is always a priority for the Pale Moon developers, and its userbase has grown a lot in recent years (to 500K+ users), often as a result of Firefox users becoming tired of Mozilla's apparent direction.

Here are a couple of threads from the PM forum, which might help to allay any concerns:
Pale Moon forum • View topic - [solved] OCSP security
Pale Moon forum • View topic - Critical Firefox bug - Palemoon safe?
Pale Moon forum • View topic - Mozilla, Google, and Microsoft will disable RC4

The Red Moon · Sep 26, 2015

cnople said: ↑

I've installed Palemoon as a newbie to this browser, and I'm liking it so far (Firefox would freeze and 'not responding' all the time). I may be a convert.

I'm unsure however as to the security aspects of this browser, does it have all the latest security updates as per the latest Firefox version? Or are they 2 different beasts? I like to be secure.
Click to expand...

If security is your primary concern then palemoon is not the browser for you.I suggest chrome as it has a security sandbox.
I see no reason to use this over firefox to be honest especially on a linux machine and the maintenance of the linux version seems iffy at the best of times.

its your call but i would stick with well known companies rather than relatively new small outfits like palemoon.

Thanks.

RJK3 · Sep 26, 2015

cnople said: ↑

I'm unsure however as to the security aspects of this browser, does it have all the latest security updates as per the latest Firefox version? Or are they 2 different beasts? I like to be secure.
Click to expand...

The main developer behind Pale Moon is very responsive to security vulnerabilities, and focused on avoiding foreseeable problems with the direction FF updates have gone in.

If you read the release notes, the general approach is to include relevant security patches immediately (i.e. before general updates). They also tend to avoid adding new features if they think it'll increase the surface area for possible exploits e.g. certain HTML5 components and inline PDF browser.

Generally (IMO) this means that Pale Moon is likely to be more secure than Firefox. Of course, this has to be balanced by the risk of exploits being found for old code that Palemoon still uses, and new version of FF not.

Combined with NoScript (even if just for XSS protections etc), ad blocking (uBlock Origin), and MBAE it should be pretty solid IMO.

RJK3 · Sep 26, 2015

cnople said: ↑

I'm unsure however as to the security aspects of this browser, does it have all the latest security updates as per the latest Firefox version?
Click to expand...

Just further to my first reply:

FWIW You can run browser security tests yourself, such as http://www.browserscope.org/security/test

Firefox and Pale Moon all fail the same tests:
Firefox portable 37.0.1 fails 3/17
Firefox portable 41.0 fails 3/17
Pale Moon 25.7.0 (without NoScript) fails 3/17
(toStaticHTML API; X-Content-Type-Options; Origin header)

Pale Moon 25.7.0 (with NoScript) fails 1/17
(Origin header)

Chrome and secure variants all fail the same test:
Google Chrome 45.0.2454.99 fails 1/17
SWare Iron (based on Chromium) 43.0.2300.0 fails 1/17
SWare Iron (based on Chromium) 45.0.2400.0 fails 1/17
(toStaticHTML API)

Opera portable 12.17 build 1863 fails 6/17
(toStaticHTML API, X-Content-Type-Options, Sandbox attribute, Origin header, Content Security Policy, Block visited link sniffing)

So to reiterate, with NoScript you can have it just passively block XSS, Clickjacking, CSRF, etc without using the per site whitelist/blacklisting of scripts, thereby increasing the security of FF/PaleMoon.

Other browser security related sites:
http://browserspy.dk/
http://www.pcflank.com/browser_test1.htm
https://www.ssllabs.com/ssltest/viewMyClient.html
https://www.browserleaks.com/

wolfrun · Sep 26, 2015

RJK3 said: ↑

Combined with NoScript (even if just for XSS protections etc), ad blocking (uBlock Origin), and MBAE it should be pretty solid IMO.
Click to expand...

That's my setup with Palemoon, uBlock Origin with Dynamic filtering and NoScript as above. Also have flashDisable installed as well. Oh, I also run Palemoon in Sandboxie, thought I had better mention that as well.

cnople · Sep 26, 2015

Thanks for the clarification. I have uBlock Origin and Diconnect installed as a matter of course, and MBAM premium and MBAE free. So I feel better about it.

I did however just have to switch to Chrome (which I dislike) for a website that required Adobe Reader plugin to view.

RJK3 · Sep 26, 2015

wolfrun said: ↑

That's my setup with Palemoon, uBlock Origin with Dynamic filtering and NoScript as above. Also have flashDisable installed as well. Oh, I also run Palemoon in Sandboxie, thought I had better mention that as well.
Click to expand...

Not much will get through a setup like that Even Cryptolocker type malware won't be able to do damage provided Sandboxie settings are blocking direct write access to user folders.

cnople said: ↑

Thanks for the clarification. <snip> I did however just have to switch to Chrome (which I dislike) for a website that required Adobe Reader plugin to view.
Click to expand...

No worries. Well with the divergence between FF and PM I expect more and more websites not to behave properly with PM, but I've never had a website that requires Adobe Reader plugin to work properly. My journal sites just download the PDF instead of viewing them inline, which is what I want. Out of curiosity what site was it?

I keep portable versions of Firefox, Opera, and Iron browser handy.

cnople · Sep 27, 2015

RJK3 said: ↑

Out of curiosity what site was it?

I keep portable versions of Firefox, Opera, and Iron browser handy.
Click to expand...

It was an insurance company site, with a letter embedded in the page. It was greyed out and linked me to Adobe Reader, which I politely declined. I knew Chrome would handle it, but as I said, I dislike Chrome, and Google generally.

Dermot7 · Sep 28, 2015

25.7.1 (2015-09-28 )
This is a security, stability and web-compatibility update. This also marks a security update for the Android version of Pale Moon to keep users of the otherwise currently unmaintained OS updated regarding known security vulnerabilities.

Fixes/changes:

Code cleanup: Removed the majority of remaining telemetry code (including the data reporting back-end and health report) to prevent a few issues with partially removed code in earlier versions.

Fixed a crash due to handling of bogus URIs passed to CSS style filters (e.g. whatsapp's web interface).

Permitted spec-breaking syntax in Regex character classes, allowing ranges that would be permitted per the grammar rules in the spec but not necessarily following the syntax rules. This impacts a good number of (also higher profile) sites that use invalid ranges in regular expressions (e.g. Cisco's networking academy site, Yahoo Fantasy Football).

Fixed a crash due to the newly introduced WASAPI handling of audio channel mapping that doesn't like actual surround hardware setups (e.g. playing a video with quadraphonic audio on a 4-speaker setup).

Fixed an issue where site-specific dictionary selections would be written to content preferences without the user's action, potentially overwriting or clearing a previously-chosen dictionary.

Added support for drag and drop of local files from sources which use text/uri-lists. (Some Linux flavors/file managers)

Updated libnestegg to the most current version.

Fixed an issue where setting the location to an empty string could cause a reload loop.

Security fixes:

Changed the jemalloc poison address to something that is not a NOP-slide. DiD

Fixed a memory safety hazard in ConvertDialogOptions (CVE-2015-4521)

Fixed a buffer overflow/crash hazard in the VertexBufferInterface::reserveVertexSpace function in libGLES in ANGLE (CVE-2015-7179)

Fixed an overflow/crash hazard in the XULContentSinkImpl::AddText function (CVE-2015-7175)

Fixed a stack buffer overread hazard in the ICC v4 profile parser (CVE-2015-4504)

Fixed an HTMLVideoElement Use-After-Free Remote Code Execution 0-day vulnerability (ZDI-CAN-3176) (CVE-2015-4509)

Fixed a potentially exploitable crash in nsXBLService::GetBinding

Fixed a memory safety hazard in nsAttrAndChildArray::GrowBy (CVE-2015-7174)

Fixed a memory safety hazard for callers of nsUnicodeToUTF8::GetMaxLength (CVE-2015-4522)

Fixed a heap buffer overflow/crash hazard caused by invalid WebM headers (CVE-2015-4511)

DiD This means that the fix is "Defense-in-Depth": It is a fix that does not apply to an actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.
Click to expand...

https://www.palemoon.org/releasenotes.shtml

wolfrun · Sep 28, 2015

Updated via the updater. Working well.

hayc59 · Sep 28, 2015

installed, thank you!!

Dermot7 · Oct 2, 2015

https://www.palemoon.org/releasenotes.shtml

25.7.2 (2015-10-02)
This is a stability update, addressing 2 critical hangs:

Fixed a critical hang caused by recursive reloads that might happen in iframes if its hash changed.

Fixed a critical hang caused by lazy-loading of stylesheets through a specific web programming technique as advocated by Google's PageSpeed.

Click to expand...

hayc59 · Oct 2, 2015

Thank you D!!

wolfrun · Oct 2, 2015

Updated via the updater.(See that there's another wolf in the area)

ghodgson · Oct 14, 2015

http://www.palemoon.org/releasenotes.shtml

25.7.3 (2015-10-14)
This is a usability update needed due to the fact that Mozilla has shut down their key exchange (J-PAKE) server along with the old Sync servers.
This was unexpected and required us to set up our own key server
Click to expand...

Log in or Sign up

Pale Moon 25 Released

SouthPark Registered Member

Dermot7 Registered Member

LimboSlam Registered Member

Dermot7 Registered Member

wolfrun Registered Member

Dermot7 Registered Member

wolfrun Registered Member

LimboSlam Registered Member

wolfrun Registered Member

cnople Registered Member

Dermot7 Registered Member

The Red Moon Registered Member

RJK3 Registered Member

RJK3 Registered Member

wolfrun Registered Member

cnople Registered Member

RJK3 Registered Member

cnople Registered Member

Dermot7 Registered Member

wolfrun Registered Member

hayc59 Updates Team

Dermot7 Registered Member

hayc59 Updates Team

wolfrun Registered Member

ghodgson Registered Member

Log in or Sign up

Pale Moon 25 Released

SouthPark Registered Member

Dermot7 Registered Member

LimboSlam Registered Member

Dermot7 Registered Member

wolfrun Registered Member

Dermot7 Registered Member

wolfrun Registered Member

LimboSlam Registered Member

wolfrun Registered Member

cnople Registered Member

Dermot7 Registered Member

The Red Moon Registered Member

RJK3 Registered Member

RJK3 Registered Member

wolfrun Registered Member

cnople Registered Member

RJK3 Registered Member

cnople Registered Member

Dermot7 Registered Member

wolfrun Registered Member

hayc59 Updates Team

Dermot7 Registered Member

hayc59 Updates Team

wolfrun Registered Member

ghodgson Registered Member

Useful Searches