Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


roytam1

My browser builds (part 2)

Recommended Posts


Current zero-day hype:

SCARY as hell, as always. Everywhere. If you're using even a just slightly older browser version, just a few days old, you're already as good as ***DEAD***! Boah...

But also as always (99%), this only can hit if JAVASCRIPT is allowed?
And additionally, this even requires a special JS feature "JIT" to be allowed too? And the only purpose of this is to speed up scripts, in exchange for much higher dangers?

At least if I get it right and this article is about that current hype?
https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

If that's all, have no worry... My *really* old browser version allows blocking JIT since years (and JS by default off anyway, or freezing for lack of RAM):
pref("javascript.options.jit.chrome", false);
pref("javascript.options.jit.content", false);
pref("javascript.options.jit.__INFO", "INFO: for better JS speed, but highly dangerous, zero-day vulnerable");
But no idea if those prefs are still valid for current modern browsers.

And also added today to my tweaked Default prefs file, acc to above article, just in case I'll some day install Tor:
pref("javascript.options.ion", false);
pref("javascript.options.ion__INFO", "INFO: JS-JIT in Tor, for better JS-speed but highly dangerous, zero-day vulnerable");

  • Like 1

Share this post


Link to post
Share on other sites

If you're a true supermegaueberultraparanoid person, get yourself a full-body Velostat gimp-suit, 'cause just a cap is not enough.
Else, a good hardware firewall, MBAM 3.0 premium and a PEBCAK trap ought to suffice (and if not, just redeploy the latest backup) for you to hang loose.

  • Like 2

Share this post


Link to post
Share on other sites
6 hours ago, Sampei.Nihira said:

the vulnerability that affected Fx, Pale Moon, Basilisk also affects Thunderbird:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/

A patch for Interlink Mail News is also required.

Can you do it?

If my understanding is correct, it might be already in with the latest 2020-01-11 build:

On 1/11/2020 at 1:57 AM, roytam1 said:

New build of BOC/UXP for XP!

Test binary:
MailNews Win32 https://o.rths.ml/boc-uxp/mailnews.win32-20200111-beb2221f-uxp-f64e760ab-xpmod.7z
There are no new Official repo changes since my last build.

For UXP changes, please see above.

"above" refers to https://msfn.org/board/topic/180462-my-browser-builds-part-2/?do=findComment&comment=1176055

where it's stated: 

On 1/11/2020 at 1:57 AM, roytam1 said:

My (UXP) changes since my last build:
- ported mozilla upstream bug: Bug 1607443 - Fix some alias sets. r=tcampbell, a=lizzard (b8ab52794)

The "patch" you refer to is platform wide, so it should be present in all latest UXP applications (NM28, St52, MN, BN); Moebius (St55) had to be treated separately... :P

Edited by VistaLover

Share this post


Link to post
Share on other sites

dencorso said:
> If you're a true supermegaueberultraparanoid person, get yourself
> a full-body Velostat gimp-suit, 'cause just a cap is not enough.

Why "get" - don't you see? We have that suit long since:
Just a click on the JS/iframe/objects/media block buttons and POOF!! fullbody suit pops up all around us.

Share this post


Link to post
Share on other sites

like mentioned earlier, it's all just a d@mn bunch of HYPE - blah, blah, blah, who freakin' cares, i will CONTINUE to use my "unpatched" 28.2.2 as it suits my needs perfectly!

  • Like 1

Share this post


Link to post
Share on other sites
7 hours ago, Sampei.Nihira said:

those who still use FF52 are at risk.

... According to: 

https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

disabling IonMonkey JIT by setting: 

javascript.options.ion;false

will get you covered ;) , but with a (slight) performance penalty, of course... :whistle:
The linked article mentions that mitigation only in relation to the Tor Browser (and until the time it gets updated, which it did), but that same "about:config" pref is apparently present in FxESR 52.9.x, which, as we all know, won't be patched... :angry:

  • Like 1
  • Upvote 1

Share this post


Link to post
Share on other sites
On 1/9/2020 at 12:43 AM, Mathwiz said:

But it was recently discovered that they can be abused for tracking you. Thus Pale Moon (and thence New Moon) have them disabled by default.

@Mathwiz : Hope you're doing fine in the new year  :hello: ; when you first posted this some days ago, I was genuinely puzzled, but since I was occupied with other matters, both in digital (!) and real life :whistle:, I left it aside for future investigation; my contribution to the subject at hand was simply

which basically links to the old Bugzilla bug #967977   :)

Today I had some extra time and decided to search the official UXP GitHub repo/issue tracker, to find proof which substantiates the report that:

Quote

Pale Moon (and thence New Moon) have them disabled by default.

(them in that context refers to TLS Session Tickets/TLS cache); I've searched specifically for code that sets the hidden pref
security.ssl.disable_session_identifiers
to true, but my search was, alas, fruitless... :( I then browsed @roytam1 's forked UXP repo, both branches (master+custom), for similar code signs, but to no avail, again :( ... So, by simply going with public source code, I found no clues that the default behaviour in either (official) PM28 and/or (forked) NM28 is to disable TLS session tickets, as you suggested...

But you are not to blame yourself ;), I have myself in the past "slipped" in a similar fashion... -_- :blushing: ; the blame lies on the OP, for causing undue confusion over a "supposedly" new-found issue, most likely self-inflicted:

On 1/8/2020 at 1:54 PM, msfntor said:

In the latest NEW MOON 28.9 20200104 I've:

Session Ticket Support

Improvable

... was the post that started all this :angry:; as part of my investigation, I have downloaded said NM28 build (BuildID=20200104010047), as well as the one after it (BuildID=20200110230556) and guess what one finds by visiting

https://www.howsmyssl.com

in a brand new/fresh (browser) profile:

mCPeqWq.jpg

and

mT7095h.jpg

So, nothing has changed in NM28 with regard to TLS Session Tickets, they are enabled by default (which yields the green "Good" button in that test page) ... Once more, it was simply @msfntor 's troll-ish behaviour in posting unchecked/unverified untruths, which ended up wasting people's time... :angry:

  • Like 2

Share this post


Link to post
Share on other sites

It'd be fantastic if Roytam would build newer versions of SeaMonkey 2.49.5 like:

https://www.wg9s.com/comm-esr/

Was doing a while back.

Share this post


Link to post
Share on other sites

@VL Sorry but I keep thinking it's your own decision to waste that time, after first experiences. I know it's not quite easy to suppress an urge to reply anyway. I do highly appreciate all the help you give, it really is extremely useful, also for later readers. What I just personally find rather sad in todays world is that real trolls, who only post to disrupt and attack and offend, and enjoy it, never get any trouble, quite the opposite, instead it's usually kind people who never do any harm who get hunted for no crimes at all.

Edited by siria
  • Like 1
  • Upvote 1

Share this post


Link to post
Share on other sites
8 hours ago, Montana Slim said:

It'd be fantastic if Roytam would build newer versions of SeaMonkey 2.49.5 like:

https://www.wg9s.com/comm-esr/

Was doing a while back.
 

Im using the original 2.49.5 SeaMonkey version on Win2k without problems, runs perfectly, but I have BWC Kex as well

  • Upvote 1

Share this post


Link to post
Share on other sites
13 hours ago, VistaLover said:

... According to: 

https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

disabling IonMonkey JIT by setting: 

javascript.options.ion;false

will get you covered ;) , but with a (slight) performance penalty, of course... :whistle:
The linked article mentions that mitigation only in relation to the Tor Browser (and until the time it gets updated, which it did), but that same "about:config" pref is apparently present in FxESR 52.9.x, which, as we all know, won't be patched... :angry:

Better that way, I uninstalled FF52.
I only use NM28.:thumbup

Share this post


Link to post
Share on other sites

Sadly i cant use the new december 2019 january 2020 versions of Basilisk 52, 55, newmoon 28.x 27.7, the computer totally freeze and must do a hard reset with the power button. I just install Ublock origin legacy and set some security configuration in about:config. Happens when open msfn.org/board or youtube.com p.e

Share this post


Link to post
Share on other sites

Try to use the UOC Patch and Enforcer. See if it makes a difference.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...