Sampei.Nihira Posted January 13, 2020 Posted January 13, 2020 26 minutes ago, VistaLover said: Special message from upstream: https://forum.palemoon.org/viewtopic.php?f=1&t=23605 Yes, it is good to write that those who still use FF52 are at risk.
Sampei.Nihira Posted January 13, 2020 Posted January 13, 2020 (edited) @roytam1 Hi, the vulnerability that affected FF,Pale Moon,Basilisk also affects Thunderbird: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/ A patch for Interlink Mail News is also required. You can do it? Edited January 13, 2020 by Sampei.Nihira
siria Posted January 13, 2020 Posted January 13, 2020 Current zero-day hype: SCARY as hell, as always. Everywhere. If you're using even a just slightly older browser version, just a few days old, you're already as good as ***DEAD***! Boah... But also as always (99%), this only can hit if JAVASCRIPT is allowed? And additionally, this even requires a special JS feature "JIT" to be allowed too? And the only purpose of this is to speed up scripts, in exchange for much higher dangers? At least if I get it right and this article is about that current hype? https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/ If that's all, have no worry... My *really* old browser version allows blocking JIT since years (and JS by default off anyway, or freezing for lack of RAM): pref("javascript.options.jit.chrome", false); pref("javascript.options.jit.content", false); pref("javascript.options.jit.__INFO", "INFO: for better JS speed, but highly dangerous, zero-day vulnerable"); But no idea if those prefs are still valid for current modern browsers. And also added today to my tweaked Default prefs file, acc to above article, just in case I'll some day install Tor: pref("javascript.options.ion", false); pref("javascript.options.ion__INFO", "INFO: JS-JIT in Tor, for better JS-speed but highly dangerous, zero-day vulnerable"); 1
dencorso Posted January 13, 2020 Posted January 13, 2020 If you're a true supermegaueberultraparanoid person, get yourself a full-body Velostat gimp-suit, 'cause just a cap is not enough. Else, a good hardware firewall, MBAM 3.0 premium and a PEBCAK trap ought to suffice (and if not, just redeploy the latest backup) for you to hang loose. 2
VistaLover Posted January 13, 2020 Posted January 13, 2020 (edited) 6 hours ago, Sampei.Nihira said: the vulnerability that affected Fx, Pale Moon, Basilisk also affects Thunderbird: https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/ A patch for Interlink Mail News is also required. Can you do it? If my understanding is correct, it might be already in with the latest 2020-01-11 build: On 1/11/2020 at 1:57 AM, roytam1 said: New build of BOC/UXP for XP! Test binary: MailNews Win32 https://o.rths.ml/boc-uxp/mailnews.win32-20200111-beb2221f-uxp-f64e760ab-xpmod.7z There are no new Official repo changes since my last build. For UXP changes, please see above. "above" refers to https://msfn.org/board/topic/180462-my-browser-builds-part-2/?do=findComment&comment=1176055 where it's stated: On 1/11/2020 at 1:57 AM, roytam1 said: My (UXP) changes since my last build: - ported mozilla upstream bug: Bug 1607443 - Fix some alias sets. r=tcampbell, a=lizzard (b8ab52794) The "patch" you refer to is platform wide, so it should be present in all latest UXP applications (NM28, St52, MN, BN); Moebius (St55) had to be treated separately... Edited January 13, 2020 by VistaLover
siria Posted January 13, 2020 Posted January 13, 2020 dencorso said: > If you're a true supermegaueberultraparanoid person, get yourself > a full-body Velostat gimp-suit, 'cause just a cap is not enough. Why "get" - don't you see? We have that suit long since: Just a click on the JS/iframe/objects/media block buttons and POOF!! fullbody suit pops up all around us.
NotHereToPlayGames Posted January 13, 2020 Posted January 13, 2020 like mentioned earlier, it's all just a d@mn bunch of HYPE - blah, blah, blah, who freakin' cares, i will CONTINUE to use my "unpatched" 28.2.2 as it suits my needs perfectly! 1
VistaLover Posted January 14, 2020 Posted January 14, 2020 7 hours ago, Sampei.Nihira said: those who still use FF52 are at risk. ... According to: https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/ disabling IonMonkey JIT by setting: javascript.options.ion;false will get you covered , but with a (slight) performance penalty, of course... The linked article mentions that mitigation only in relation to the Tor Browser (and until the time it gets updated, which it did), but that same "about:config" pref is apparently present in FxESR 52.9.x, which, as we all know, won't be patched... 2
VistaLover Posted January 14, 2020 Posted January 14, 2020 On 1/9/2020 at 12:43 AM, Mathwiz said: But it was recently discovered that they can be abused for tracking you. Thus Pale Moon (and thence New Moon) have them disabled by default. @Mathwiz : Hope you're doing fine in the new year ; when you first posted this some days ago, I was genuinely puzzled, but since I was occupied with other matters, both in digital (!) and real life , I left it aside for future investigation; my contribution to the subject at hand was simply which basically links to the old Bugzilla bug #967977 Today I had some extra time and decided to search the official UXP GitHub repo/issue tracker, to find proof which substantiates the report that: Quote Pale Moon (and thence New Moon) have them disabled by default. (them in that context refers to TLS Session Tickets/TLS cache); I've searched specifically for code that sets the hidden pref security.ssl.disable_session_identifiers to true, but my search was, alas, fruitless... I then browsed @roytam1 's forked UXP repo, both branches (master+custom), for similar code signs, but to no avail, again ... So, by simply going with public source code, I found no clues that the default behaviour in either (official) PM28 and/or (forked) NM28 is to disable TLS session tickets, as you suggested... But you are not to blame yourself , I have myself in the past "slipped" in a similar fashion... ; the blame lies on the OP, for causing undue confusion over a "supposedly" new-found issue, most likely self-inflicted: On 1/8/2020 at 1:54 PM, msfntor said: In the latest NEW MOON 28.9 20200104 I've: Session Ticket Support Improvable ... was the post that started all this ; as part of my investigation, I have downloaded said NM28 build (BuildID=20200104010047), as well as the one after it (BuildID=20200110230556) and guess what one finds by visiting https://www.howsmyssl.com in a brand new/fresh (browser) profile: and So, nothing has changed in NM28 with regard to TLS Session Tickets, they are enabled by default (which yields the green "Good" button in that test page) ... Once more, it was simply @msfntor 's troll-ish behaviour in posting unchecked/unverified untruths, which ended up wasting people's time... 2
Montana Slim Posted January 14, 2020 Posted January 14, 2020 It'd be fantastic if Roytam would build newer versions of SeaMonkey 2.49.5 like: https://www.wg9s.com/comm-esr/ Was doing a while back.
siria Posted January 14, 2020 Posted January 14, 2020 (edited) @VL Sorry but I keep thinking it's your own decision to waste that time, after first experiences. I know it's not quite easy to suppress an urge to reply anyway. I do highly appreciate all the help you give, it really is extremely useful, also for later readers. What I just personally find rather sad in todays world is that real trolls, who only post to disrupt and attack and offend, and enjoy it, never get any trouble, quite the opposite, instead it's usually kind people who never do any harm who get hunted for no crimes at all. Edited January 14, 2020 by siria 3
Bruninho Posted January 14, 2020 Posted January 14, 2020 8 hours ago, Montana Slim said: It'd be fantastic if Roytam would build newer versions of SeaMonkey 2.49.5 like: https://www.wg9s.com/comm-esr/ Was doing a while back. Im using the original 2.49.5 SeaMonkey version on Win2k without problems, runs perfectly, but I have BWC Kex as well 1
Sampei.Nihira Posted January 14, 2020 Posted January 14, 2020 13 hours ago, VistaLover said: ... According to: https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/ disabling IonMonkey JIT by setting: javascript.options.ion;false will get you covered , but with a (slight) performance penalty, of course... The linked article mentions that mitigation only in relation to the Tor Browser (and until the time it gets updated, which it did), but that same "about:config" pref is apparently present in FxESR 52.9.x, which, as we all know, won't be patched... Better that way, I uninstalled FF52. I only use NM28.
sukistackhouse Posted January 14, 2020 Posted January 14, 2020 Sadly i cant use the new december 2019 january 2020 versions of Basilisk 52, 55, newmoon 28.x 27.7, the computer totally freeze and must do a hard reset with the power button. I just install Ublock origin legacy and set some security configuration in about:config. Happens when open msfn.org/board or youtube.com p.e
looking4awayout Posted January 15, 2020 Posted January 15, 2020 Try to use the UOC Patch and Enforcer. See if it makes a difference. 1
Recommended Posts