As a lot of people know Firefox 57 will be coming soon and that will be the end of a lot of useful addons. I don't want to ever go to Firefox 57 so if I were to stay with Firefox 56 would that be a security risk ?
Security risk with staying with a set version of a browser forever ?
- Thread starter ng4ever
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Nov 17, 2016
- 1,242
- Oct 2, 2014
- 825
I'll reply this by this copy paste from Oficial website:
"Pale Moon is based on the Mozilla release source code that has a large community of developers and security-aware people, next to having seen over a decade of development by now. In addition, the Pale Moon team checks and verifies any reports of issues that might impact your safety on the web. It includes, among other things, protection against dangerous add-ons, automatic checking for updates of add-ons, password protection (master password), website-identity information in the address bar, and private browsing.
From Pale Moon Developer:
"Every Firefox release cycle, I contact the Mozilla Security team to get bug access for otherwise locked sec bugs. This allows me to audit these vulnerabilities, assess applicability, and port across what applies to our code base. Our security is at all times at least at the release edge of the equivalent published Firefox version, and in some cases beyond it.
If you think Pale Moon 27 is "rebranded Firefox 38.0" then you should stop and read up a little on what Pale Moon is before saying anything more."
Pale Moon's development includes a critical evaluation of potential security risks which are addressed in each new release, with on occasion a point-release for critical issues that is released as soon as possible after the security issue comes to light"
And that I have used it for a long long time and proved to be secure enough to be kept in my computer.
You can see release notes and find yourself they actually patch exploits, as I said, it's not a dead browser by any means. The day they don't put enough effort into it I'll just leave it, hopefully this is not the case.
"04/28/2017"
Security/privacy changes:
- Updated NSS to 3.28.4-RTM to address a number of issues.
- Added support for RSA-AES(-GCM)-SHA256/384 suites to broaden compatibility.
- Reconfigured networking security: disabled static DHE suites by default, enabled all RSA-AES(-GCM)-SHA256/384 suites in their stead.
- Fixed referrer policy keyword to align with the current spec ("cross-origin" vs "crossorigin").
- Added an option to display punycode domain for IDN websites to combat phishing.
This is enabled by default for domain-validated https sites.
Preference: browser.identity.display_punycode
0 = Display IDN name in identity panel (previous behavior)
1 = Display punycode name for DV SSL domains (default)
2 = Also display punycode for HTTP sites if IDN name used - Fixed an issue to prevent contacting remote servers when a connection might get blocked.
- Fixed 3 public security flaws in libevent, which may affect Mozilla-based products. DiD
- Fixed several memory- and thread-safety hazards.
- Fixed an address bar spoofing issue. (CVE-2017-5451)
- Fixed a potentially exploitable crash with HTTP/2. (CVE-2017-5446)
- Fixed several security hazards in XSLT processing. (CVE-2017-5438) (CVE-2017-5439) (CVE-2017-5440)
- Fixed several security hazards in old protocols. (CVE-2017-5444) (CVE-2017-5445)
- Fixed out-of-bounds access in text formatting. (CVE-2017-5447)
- Fixed a potentially exploitable issue with innerText. (CVE-2017-5442)
- Fixed a potentially exploitable issue in graphite font shaping.
- Fixed a potentially exploitable crash with credential-authentication.
- Fixed out-of-bounds access with text selection in rare cases.
- Fixed a security hazard in the ANGLE library."
Last edited:
Everybody knows than FF based browsers are too vulnerable, FF isn't even a considered a decent target in hacking contest and competitions, it is hacked too easily while Chrome need lot of time and resources to be compromised.
Microsoft Edge: Most Hacked Browser At Pwn2Own 2017
It will be interesting to see the next contest with FF using its newly implemented sandbox.
Chrome has a solid and renowned sandbox , FF doesn't (until v54 and we will have to wait to see if it will be effective.); It will be interesting to see the next contest with FF using its newly implemented sandbox.
Chrome can use Appcontainer, FF doens't...
Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable - Slashdot
Saying than because a software is safer because less targeted is like saying "i live in a safe neighborhood so i let all door of my house unlocked when i go to work..." really?
Now i don't say Palemoon/FF is a bad browser, in term of usability & customization but saying it is as safe or safer than Chrome is total ignorance...
Obviously if you have safe habits , it is as safe as any other browsers but in a pentesting situation FF and co clearly isn't.
Microsoft Edge: Most Hacked Browser At Pwn2Own 2017
It will be interesting to see the next contest with FF using its newly implemented sandbox.
Chrome has a solid and renowned sandbox , FF doesn't (until v54 and we will have to wait to see if it will be effective.); It will be interesting to see the next contest with FF using its newly implemented sandbox.
Chrome can use Appcontainer, FF doens't...
Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable - Slashdot
Saying than because a software is safer because less targeted is like saying "i live in a safe neighborhood so i let all door of my house unlocked when i go to work..." really?
Now i don't say Palemoon/FF is a bad browser, in term of usability & customization but saying it is as safe or safer than Chrome is total ignorance...
Obviously if you have safe habits , it is as safe as any other browsers but in a pentesting situation FF and co clearly isn't.
Last edited by a moderator:
- Apr 9, 2017
- 186
And you want Google to track you and your family's surfing habits?
I believe security and privacy are the most important factors when come to selecting a browser. Chrome is very secure and that's no doubt about that but it's poor in privacy.
To choose one which balances security and privacy I think Chrome is not a good choice.
As long as you use Google services you'll be tracked by Google.
Even FF's built-in phishing and malware protection also calls back to Google, if needed
How does built-in Phishing and Malware Protection work? | Firefox Help
Google's Safe Browsing is use in many browsers
- Oct 2, 2014
- 825
I don't say less targeted equal safer. I just say most common malware and PuP will trigger Chrome over custom verisons of FF and that's something I was able to see with my own eyes when I used to test samples in VM. Call it compatibility of the malware, call it lazy malware developers who won't adjust a few settings so the malware can work in ports of FF or its variant. In the other hand I have seen multiple times the so "safe" Chrome browser will just get infected by PuP, total mess. Then I saw in that time Google released a Chrome clean tool because in that time the amount of Adware easily taking control of Chrome was crazy. In other words I meant that most common malware / adware will clearly work on Chrome since it's the most used browser. That's all.
And I don't think it is total ignorance to call Pale Moon safe, personally I have used it for too long that I'm aware of it's capabilities. No need for an ignorance call.
I like this quote from one of the Pwn2Own events:
"The Opera web browser was left out of the contests as a target: The ZDI team argued that Opera had a low market share and that Chrome and Safari are only included"
I like the part low market share.
"O Amigo400, I don't recall the last time visiting the Library, seeing any literature regarding Pale Moon being buggy. I haven't really heard about Pale Moon till as of late. Only as of late has it be "said" (not reading material) to stay away from these unknown Browsers such as Pale Moon. Let's face up to the facts, this rig called Pale Moon simply pales in comparison to Browsers such as Opera, Firefox, Edge and especially Chrome.
The material presented here by Mr darko means little, only if you're so biased towards one specific Browser and in ignorance suggest or imply all the others are bad.
My suggestion is, for your own safety's sake, switch to Chrome before you and your family are all hacked. Remember, cold weather balloons are safer than hot air balloons because the former doesn't get off the ground."
I never said other browsers are bad, I actually use Opera as main browser and I use a lot Pale Moon since I need certain addon functions I don't get in Chromium based browsers. And it also runs fast in my computer so there are multiple reasons why I use Pale Moon over Firefox. You need more reading focus. And by the way, Pale Moon has a decent amount of users and the community is awesome in terms of technical support and time response. The browser forum is handy and shows the spirit of a browser that has it's own potential.
Last edited:
what kind of samples? infected links that exploit chrome directly?
Because when we talk about browser security , we talk about threats coming from inside the browser; not threats you download and allow to run on the system.
PUP ? so you visited a site , and suddenly, out of the blue , a PUP just popup in Chrome without your interactions or any downloads?
If what you said is true, we should team up and we will win load of $$$ in the next hacking contest; because you just claimed to bypass the Chrome Sandbox from inside !
i guess your tests are about malware you downloaded in your system that infected Chrome; which is not chrome compromised but your system compromised..
Browser doesn't have self-protection like AVs or security softs.
- Jun 5, 2014
- 292
- Oct 2, 2014
- 825
It was both samples and redirect malware, and a few malvertising cases but all with the above outcome. The browser mechanism to avoid it's settings getting modified by downloaded or non downloaded infections counts into security area. It was the very first time that "Chrome Cleanup Tool" appeared and just on time. Chrome then got better with time and this tool was not as necessary as in that time, but stills.
So do you have some links that when i visit them , it install something in Chrome without my consent? after all this is what we are talking about.
Malware/PUP already present in the system and compromising the browser is not the browser fault.
Browser security is about preventing scripts and exploits launched from the site visited by the browser and compromising the system by exploiting a design/coding vulnerability of the browser and reach critical areas of the system.
- Oct 2, 2014
- 825
If I had the links I doubt if they would work with current version of Chrome, they prob worked for the version of Chrome that existed at that time. I never got the habit of keeping samples or moving them or back up them. I pretty much played in VM and let them there to die. Yes there was interaction since I remember the boxes showing up but it didn't allow me to click on them they will appear and disappear fast, then browser was infected mostly junk addons and many toolbars, but settings were also compromised. It was when I was active here at MT testing on VM. Yes some were samples and as you said not browser faults, but others came from malvertising and redirect malware.
It's funny that Edge which is from Microsoft is weak according to Pwn2Own. I don't see people going nuts over it and unpinning it from taskbar. But instead they go calling Pale Moon unsafe, junk, hackers magnet, etc. Believe me if we go the "Hacking are under your bed madness" then half of the software installed in most computers should be uninstalled. I would agree that Skype for example is danger over 9.000. But Pale Moon? Seriously? People gotta chill a bit.
Last edited:
- Nov 17, 2016
- 1,242
FF is there now though so it isn't so bad. I doubt Firefox will ever be at Chrome's level since Google is bigger. They also seem to have the "bigger guns".
Edge is new, so it was an obvious target and MS can learn from those contests, FF will be the next preferred target because the implementation of a sandbox on v54.
It is not Palemoon that is criticized but any browser with the FF core, it was always weak compared to Chrome .
I hope the new sandbox will be effective, i checked some of its mechanism, it is based on levels of tightness, 0 - 1 - 2 , 2 being the highest one, i saw a Level 3 but , very tight but it seems it will not be implemented yet.
- Aug 2, 2015
- 4,286
Good point,
and if were being honest here, most browsers these days are fine to use with the tools security software offers and addons.
Even a below average PC user will find it not so hard to pick a browser they truly like and secure it for safe use, they just have
to see through all the BS hype and fear mongering.
I have used FF for more years than I care to remember and have never not once suffered a major security related event.
It's just not in my blood to be a good sheep and follow the flock so to speak, I will leave that to others.
I love and respect Mozillas projects and what they stand for, including but not limited to their unwavering
stance on privacy. I can't tell you over the years the amount of donations Carol and I have made to the
Mozilla Foundation.
- Nov 17, 2016
- 1,242
Yes. My best friend is still empirical evidence. If I can be secure doing the minimum given my threat model, I will. And you'll never know until you try in a large enough time to get valuable and consistent data.
I can't even if I wanted or needed to. A thing I ultimately find annoying.
The sandbox level in FF can be changed now
How to change Firefox's Sandbox security level - gHacks Tech News
- Status
Similar threads
