Pale Moon forum

Problem is that highly critical multiple vulnerabilities has been detected in Pale Moon 9.x (and in FF 9.x version as well, of course. Thunderbird 9.x is affected too ) as reported from Secunia advisory SA47816 http://secunia.com/advisories/47816/ .

These vulnerabilitise has been fixed in Pale Moon 9.1 or specific update is required (Pale Moon 9.2 for example...) ?

Secunia is a bunch of hooey - they don't check ANYTHING themselves, just mindlessly regurgitate what Mozilla has posted in their security notes. Also they are WAY behind, their recent report is about 9.0.1, and their advice is "upgrade to 9.1" which is correct.

Well, I'm not interested in a discussion about Secunia...I can tell you just this: the same Kaspersky vulnerabilities database itself is totally based on the Secunia one (that is absolutely huge...).

About the report you are talking about I think you are right: you are talking about report SA47751 http://secunia.com/advisories/47751 ,that is specific for Pale Moon vulnerabilities, and the suggested solution is to update to version 9.1.That means you are correct.

The problem is in the way Secunia works: I had to check manually on the web the Secunia report about Pale Moon. If I run a Secunia scanning, it shows me the report about Firefox 9.x vulnerabilities (SA47816), that suggests as solution to update to FF 10. It looks like Secunia detects Pale Moon as if it is Firefox... Secunia has got the correct Pale Moon advisorie but the software shows the Firefox one.To get correct information I have to run a manual search on the web ...I'l report this on Secunia forum

Look, it is well-known that vulnerabilities are discovered in pieces of software that connect to the Internet all the time, especially things as complex as the Firefox code base.
It is also well-known that critical and essential vulnerabilities (i.e. ones that are more than just theoretical or a cleanup of code for proper allocation/deallocation, or a fix for a crash that MAY leave a piece of memory corrupted and could THEORETICALLY be abused) are always addressed with a "0-day patch" @Mozilla, and that Pale Moon closely follows those developments if they are applicable.

Quote: "Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors"
Kind of vague and arbitrary. Certainly not an abuse scenario.

Also, Secunia simply copies the Firefox report, which may not even apply to Pale Moon. See for example the designator "9.x" there, which would be valid for Firefox, but not for Pale Moon, to begin with, since 9.1, also a 9.x version, fixes the critical vulnerabilities with patches taken from Firefox 10 development. Secunia has lumped Pale Moon together with Firefox which is not always correct. e.g. a vulnerability in the accessibility module is not applicable, nor is a vulnerability that would only be present when compiled with VS2005.

I don't care how big of an aggragator they are. Or who bases their version checking upon it (Kaspersky got lazy if they are doing that now). Like I said I'm well-aware of critical issues that need addressed, and I won't let Secunia reports rush me or divert from my release plans, no matter how many paranoid people shout about it.

I'm also splitting this sub topic off from announcements to a different board as it has less to do with skipping v10 than it has to do with general browser code security. => Development.