Jump to content

My Browser Builds (Part 2)


Recommended Posts


Current zero-day hype:

SCARY as hell, as always. Everywhere. If you're using even a just slightly older browser version, just a few days old, you're already as good as ***DEAD***! Boah...

But also as always (99%), this only can hit if JAVASCRIPT is allowed?
And additionally, this even requires a special JS feature "JIT" to be allowed too? And the only purpose of this is to speed up scripts, in exchange for much higher dangers?

At least if I get it right and this article is about that current hype?
https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

If that's all, have no worry... My *really* old browser version allows blocking JIT since years (and JS by default off anyway, or freezing for lack of RAM):
pref("javascript.options.jit.chrome", false);
pref("javascript.options.jit.content", false);
pref("javascript.options.jit.__INFO", "INFO: for better JS speed, but highly dangerous, zero-day vulnerable");
But no idea if those prefs are still valid for current modern browsers.

And also added today to my tweaked Default prefs file, acc to above article, just in case I'll some day install Tor:
pref("javascript.options.ion", false);
pref("javascript.options.ion__INFO", "INFO: JS-JIT in Tor, for better JS-speed but highly dangerous, zero-day vulnerable");

Link to comment
Share on other sites

If you're a true supermegaueberultraparanoid person, get yourself a full-body Velostat gimp-suit, 'cause just a cap is not enough.
Else, a good hardware firewall, MBAM 3.0 premium and a PEBCAK trap ought to suffice (and if not, just redeploy the latest backup) for you to hang loose.

Link to comment
Share on other sites

6 hours ago, Sampei.Nihira said:

the vulnerability that affected Fx, Pale Moon, Basilisk also affects Thunderbird:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/

A patch for Interlink Mail News is also required.

Can you do it?

If my understanding is correct, it might be already in with the latest 2020-01-11 build:

On 1/11/2020 at 1:57 AM, roytam1 said:

New build of BOC/UXP for XP!

Test binary:
MailNews Win32 https://o.rths.ml/boc-uxp/mailnews.win32-20200111-beb2221f-uxp-f64e760ab-xpmod.7z
There are no new Official repo changes since my last build.

For UXP changes, please see above.

"above" refers to https://msfn.org/board/topic/180462-my-browser-builds-part-2/?do=findComment&comment=1176055

where it's stated: 

On 1/11/2020 at 1:57 AM, roytam1 said:

My (UXP) changes since my last build:
- ported mozilla upstream bug: Bug 1607443 - Fix some alias sets. r=tcampbell, a=lizzard (b8ab52794)

The "patch" you refer to is platform wide, so it should be present in all latest UXP applications (NM28, St52, MN, BN); Moebius (St55) had to be treated separately... :P

Edited by VistaLover
Link to comment
Share on other sites

dencorso said:
> If you're a true supermegaueberultraparanoid person, get yourself
> a full-body Velostat gimp-suit, 'cause just a cap is not enough.

Why "get" - don't you see? We have that suit long since:
Just a click on the JS/iframe/objects/media block buttons and POOF!! fullbody suit pops up all around us.

Link to comment
Share on other sites

7 hours ago, Sampei.Nihira said:

those who still use FF52 are at risk.

... According to: 

https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

disabling IonMonkey JIT by setting: 

javascript.options.ion;false

will get you covered ;) , but with a (slight) performance penalty, of course... :whistle:
The linked article mentions that mitigation only in relation to the Tor Browser (and until the time it gets updated, which it did), but that same "about:config" pref is apparently present in FxESR 52.9.x, which, as we all know, won't be patched... :angry:

Link to comment
Share on other sites

On 1/9/2020 at 12:43 AM, Mathwiz said:

But it was recently discovered that they can be abused for tracking you. Thus Pale Moon (and thence New Moon) have them disabled by default.

@Mathwiz : Hope you're doing fine in the new year  :hello: ; when you first posted this some days ago, I was genuinely puzzled, but since I was occupied with other matters, both in digital (!) and real life :whistle:, I left it aside for future investigation; my contribution to the subject at hand was simply

which basically links to the old Bugzilla bug #967977   :)

Today I had some extra time and decided to search the official UXP GitHub repo/issue tracker, to find proof which substantiates the report that:

Quote

Pale Moon (and thence New Moon) have them disabled by default.

(them in that context refers to TLS Session Tickets/TLS cache); I've searched specifically for code that sets the hidden pref
security.ssl.disable_session_identifiers
to true, but my search was, alas, fruitless... :( I then browsed @roytam1 's forked UXP repo, both branches (master+custom), for similar code signs, but to no avail, again :( ... So, by simply going with public source code, I found no clues that the default behaviour in either (official) PM28 and/or (forked) NM28 is to disable TLS session tickets, as you suggested...

But you are not to blame yourself ;), I have myself in the past "slipped" in a similar fashion... -_- :blushing: ; the blame lies on the OP, for causing undue confusion over a "supposedly" new-found issue, most likely self-inflicted:

On 1/8/2020 at 1:54 PM, msfntor said:

In the latest NEW MOON 28.9 20200104 I've:

Session Ticket Support

Improvable

... was the post that started all this :angry:; as part of my investigation, I have downloaded said NM28 build (BuildID=20200104010047), as well as the one after it (BuildID=20200110230556) and guess what one finds by visiting

https://www.howsmyssl.com

in a brand new/fresh (browser) profile:

mCPeqWq.jpg

and

mT7095h.jpg

So, nothing has changed in NM28 with regard to TLS Session Tickets, they are enabled by default (which yields the green "Good" button in that test page) ... Once more, it was simply @msfntor 's troll-ish behaviour in posting unchecked/unverified untruths, which ended up wasting people's time... :angry:

Link to comment
Share on other sites

@VL Sorry but I keep thinking it's your own decision to waste that time, after first experiences. I know it's not quite easy to suppress an urge to reply anyway. I do highly appreciate all the help you give, it really is extremely useful, also for later readers. What I just personally find rather sad in todays world is that real trolls, who only post to disrupt and attack and offend, and enjoy it, never get any trouble, quite the opposite, instead it's usually kind people who never do any harm who get hunted for no crimes at all.

Edited by siria
Link to comment
Share on other sites

13 hours ago, VistaLover said:

... According to: 

https://nakedsecurity.sophos.com/2020/01/09/browser-zero-day-update-your-firefox-right-now/

disabling IonMonkey JIT by setting: 

javascript.options.ion;false

will get you covered ;) , but with a (slight) performance penalty, of course... :whistle:
The linked article mentions that mitigation only in relation to the Tor Browser (and until the time it gets updated, which it did), but that same "about:config" pref is apparently present in FxESR 52.9.x, which, as we all know, won't be patched... :angry:

Better that way, I uninstalled FF52.
I only use NM28.:thumbup

Link to comment
Share on other sites

Sadly i cant use the new december 2019 january 2020 versions of Basilisk 52, 55, newmoon 28.x 27.7, the computer totally freeze and must do a hard reset with the power button. I just install Ublock origin legacy and set some security configuration in about:config. Happens when open msfn.org/board or youtube.com p.e

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...