Basilisk 2023.09.15 Released!

[Basilisk-Dev]

Basilisk 2023.09.15 has been released!

This release uses the same UXP platform version as Pale Moon 32.4.0.1

This build introduces GTK2 Linux builds for x86_64.

FreeBSD, aarch64 Linux, and macOS builds will be released soon.

The autoupdate service does not currently support FreeBSD, aarch64 Linux, and macOS builds so a manual update is required on these operating systems.

See the release notes for more information.

See the downloads page to download the update.

Update: FreeBSD/Mac/aarch64 Linux builds are now available for 2023.09.15

[Night Wing]

I am a fan of GTK2 builds for browsers.

I have never tried the linux Basilisk browser because it was GTK3, but I am now going to download the linux GTK2 tarball, extract the Basilisk folder and give Basilisk a test drive.

[Night Wing]

I am typing this post using the 64 bit linux Basilisk browser. So far so good. Got uBlock Origin installed and light themed skinned it in both Aqua and Lime. Both colors with black text. Little bit bright on my eyes in those two themed colors so I went back to the default theme. I also installed the Photonic main theme which allows more bookmarks on the Bookmarks Toolbar than the Default main theme.

[Pallid Planetoid]

Windows found a malware threat (as illustrated in screen-shot) while updating Basilisk to this (2023.09.15) release.

malware threat updating Basilisk.png

Affected file: the Basilisk "plugin-containter.exe" (has been quarantined).
Can I get more details on this "plugin-container.exe" file and what's happened please (why and what it means etc.)? What is this file for and what impact is there on Basilisk?

[Pallid Planetoid]

This file ("plugin-container.exe") has been quarantined (as containing "severe [Trojan:Win32/Wacatac.B!ml] malware") by Windows on my laptop (win10) apparently as a result of the 2023.09.15 update of Basilisk (Windows immediately quarantined the file upon doing the update):

Basilisk 'plugin-container.exe' file quarantined by Windows.png

(it, the "plugin-container.exe" file, no longer exists for Basilisk on my laptop as it has been quarantined by Windows, however it still does exist on my Desktop that I have not yet done a Basilisk update on, read further)
1) It appears I am to assume malware was detected by Windows in this Basilisk executable file (as of this release)?
2) What does this mean to Basilisk to have this file quarantined?
3) This file (on my Desktop and is where I got this screen-shot from just now) is still a part of Basilisk on my other (Desktop) machine - I have not updated Basilisk to the current 2023.09.15 release on my Desktop. Should I be concerned about updating Basilisk on my Desktop?
4) Will this have an impact on Basilisk plugins (on my laptop where the file has been quarantined)?
5) Any more vital information that can be provided would be helpful.

I'm assuming, considering there has been no reporting by anyone else on this, that I'm the only one that has had this happen....

That said...

... At this point, I will put-off updating Basilisk to this new 2023.09.15 release on my Desktop (until I know more about all of this ).

[moonbat]

Plugin container is a standard binary used to run plugins (Flash, Java etc) in a separate process for security, even Pale Moon has this. Could be a false positive from your AV.

[Pallid Planetoid]

I have submitted the file to Microsoft for analysis. It is "pending" Final Determination at this point, however the initial "current detection" results states "no malware detected". I have also manually scanned the executable file multiple times with a result of "0 threats found", so I'm inclined to think perhaps Windows Defender jumped the shark (as in to make a hurried judgment) and reported a "false" positive. It certainly is alarming to see the way the alleged malware is characterized as "severe threat" that is a "dangerous program that executes commands from an attacker" as it was described when I selected the file to be sent to Microsoft for "Final Determination". This has not occurred previously for this file (and never for Pale Moon, that uses the same file name) - which makes me wonder if the unknown or unverified publisher status of Basilsik might have some (limited) potential impact on Windows Defender (off-hand I can't see how that would be the case, just trying to understand why Basilisk got this malware threat results is all.)

Addendum: btw, there are currently 9 reported requests to MS for this same file-name; currently there are 7 with a "pending" status and the remaining 2 have a "Final Determination" status of "not malware". (good sign along with what we know in the interim)

[moonbat]

which makes me wonder if the unknown or unverified publisher status of Basilsik might have some (limited) potential impact on Windows Defender

This is most likely the reason. Else plugin-container.exe goes back to Firefox 3.x at least - that was when it was added to run plugins in a separate process so that they won't crash the browser if buggy.

[Pallid Planetoid]

Analysis of file completed as of September 20, 2023 12:44 AM (time of email message received).
Email message:

PIC-1 FILE ANALYSED.png

Analysis (Final Determination next two screen-shots):

PIC-2 FINAL DETERMINATION.png

My result is pointed out (top of list)

PIC-3 FINAL DETERMINATION.png

MS's wording leaves one basically satisfied, but not with the highest of reassurance as the report states: "If the detection is still observed, follow the steps below to capture support log files from the system reporting detection." Or I can resubmit the file for another scan by MS.

I take it, the expectation is that Windows Defender virus definition data-base has been updated and the file no longer is detected as a malware virus. Which would appear to be the case in as much as I've (since the detection was initially determined by Windows Defender as of when the Basilisk update was done) ran my own direct Windows Defender scans of the file with the results of "0 threats found" as mentioned in my previous post as of Sep 19, 2023 5:40 pm.

[Basilisk-Dev]

Analysis of file completed as of September 20, 2023 12:44 AM (time of email message received).

Thanks for your investigation into this. I wish their results were more conclusive but at least they found it as "not malware"

[Pallid Planetoid]

which makes me wonder if the unknown or unverified publisher status of Basilsik might have some (limited) potential impact on Windows Defender

This is most likely the reason. Else plugin-container.exe goes back to Firefox 3.x at least - that was when it was added to run plugins in a separate process so that they won't crash the browser if buggy.

Hmm, which in that case, makes it a good idea for a software's author to establish verified publisher status on their respective software. (besides it just looks better, more representative you might say in that doing so promotes more assurance for users and simply looks more professional. I know, I know - there's the cost of doing so... in general, it's rare to not have verified publisher status for "active" software - absent, generally, this really only happens on old no longer supported software. It is what it is...)

[Pallid Planetoid]

Analysis of file completed as of September 20, 2023 12:44 AM (time of email message received).

Thanks for your investigation into this. I wish their results were more conclusive but at least they found it as "not malware"

You're very welcome.

[Basilisk-Dev]

Hmm, which in that case, makes it a good idea for a software's author to establish verified publisher status on their respective software. (besides it just looks better, more representative you might say in that doing so promotes more assurance for users and simply looks more professional. I know, I know - there's the cost of doing so... in general, it's rare to not have verified publisher status for "active" software - absent, generally, this really only happens on old no longer supported software. It is what it is...)

How would someone go about doing this? I'm not a Windows user (excluding the virtual machine I use to compile Basilisk for Windows) nor do I do any Windows development outside of Basilisk so I have no idea how to do that.

[Pallid Planetoid]

How would someone go about doing this? I'm not a Windows user (excluding the virtual machine I use to compile Basilisk for Windows) nor do I do any Windows development outside of Basilisk so I have no idea how to do that.

I figure you know this - but here's a link on the topic (from the perspective of users and developers): https://signmycode.com/blog/how-to-fix-unknown-publisher-security-warning.

As you know, this dialog message below (picture of what users get installing/updating Basilisk) is because of Windows UAC (User Account Control) protection (which is a good idea for all users to have enabled and is by default in Windows):

IMG_20230920_080018651_HDR.jpg

As you can see not a good look and in some cases can cause users to have second thoughts about installing/updating software that does not have a certified publisher

Here is another link that covers what I presume ("presume" because this is not something I know much about, as I've never published software) a software developer needs to do to resolve the issue discussed here (I have no idea what if any costs are involved - I'm assuming there are costs, which would be the understandable reason why it's not been done): https://stackoverflow.com/questions/70035042/what-is-causing-to-show-publisher-to-unknown-on-uac-despite-signing-exe-using-si.

This all said, most if not all of us that use Basilisk know the situation so it's not perhaps that critical -- nevertheless, potentially as far as new users are concerned it could understandably be an issue of course.

[Moonchild]

makes it a good idea for a software's author to establish verified publisher status on their respective software.

It's been the main reason for me to use code-signing on Pale Moon. Not because I wanted to advertise my name as the author, but primarily because there was rumor going around that unsigned, network-enabled software would get heavily scrutinized or flat-out refused on Windows.

The problem is that getting a code-signing certificate is (very) tightly controlled, especially ever since StartCOM was strong-armed out of the CA market. If you're in the States, ID verification is a little simpler, but if your photo ID does not include your residence address then you are required to find a public notary for a face-to-face identity verification. That's an expensive bit of paperwork. The main reason it's so inflexible is because there are very few broadly-accepted CAs that allow issuance of code-signing certificates and they are pretty much all based in the United States and wanting US-native ID verifications (which don't really apply outside of the US, requiring additional legal steps).

That said if you satisfy requirements it's not particularly difficult, technically, and Sectigo has a fairly OK way to purchase code signing certs as an individual.

[athenian200]

Hmm, which in that case, makes it a good idea for a software's author to establish verified publisher status on their respective software. (besides it just looks better, more representative you might say in that doing so promotes more assurance for users and simply looks more professional. I know, I know - there's the cost of doing so... in general, it's rare to not have verified publisher status for "active" software - absent, generally, this really only happens on old no longer supported software. It is what it is...)

If you feel that way, you should probably only be using software from large organizations. I'm pretty sure that is part of the idea behind these requirements. I get the feeling eventually most UXP applications (aside from perhaps Pale Moon) are going to be forced off of Windows and Mac because they won't allow just anyone to publish software anymore. It's becoming more like the App Store model on mobile devices. If you don't have money to throw around to make yourself look good, you don't get to play.

I mean, you have a point about all of this, but that point is exactly what is going to kill off smaller, independent projects like this sooner or later. You will be told to stick with the bigger, more established players that can afford all of this security theater easily and to avoid anyone who can't. And yeah, that will probably protect you from hackers somewhat... while conveniently locking a lot of innocent developers out solely for not having extra cash to be able to meet these requirements. And I imagine the requirements will only get more stringent (read: expensive), not less.

It doesn't make me very happy to see that users here at least somewhat agree with these expectations and need to hear an analysis from a major software company in order to have any trust. If that's what is expected, then honestly that's not realistic and it may not be worth continuing with independently developed UXP applications aside from Pale Moon on major operating systems...

[Pallid Planetoid]

^ I've work 12 years now for a software developer that is a one person operation out of his home that accounts for virtually his entire income and been doing it for well for over 20+ years (that does have a very large customer base, however, mostly specific to one product) that certifies his ownership and would never in the very least consider publishing as "unknown" not only because of the impact it would have on his current customer base, but most importantly the impact this would have marketing his software.

[Bilbo47]

It doesn't make me happy to see that users here at least somewhat agree with these expectations and need to hear an analysis from a major software company in order to have any trust. If that's what is expected, then that's not realistic and it may not be worth continuing with independently developed UXP applications

Please don't let the bastard trolls get you down. Discouragement is one of their many psych attacks. Simply knowing that's what they are can help with ignoring them.

[Pallid Planetoid]

Since I'm assuming the biggest barrier to validating the Basilisk software (called either "code signing" and/or "authenticode") would likely be cost (besides the obvious hassle, which is understandable as well as it is admittedly a bit of a hassle ).
I've discussed this with the developer I know and according to him the cost is currently anywhere between $100 - $60 per year, depending upon whether the agreement is on an annual basis or for up to 3 years. That said, there are mutterings that costs will, in a few cases, be going up perhaps this year unfortunately and I'd add, sadly for some services substantially (considering the limited number of services there are). It's worth noting, the developer I mentioned has been validating his software going back to 2014 (simply because the "scrutiny" that Moonchild mentioned can be a factor for some users, albeit, for the most part new users I would add)

Just thought you might be interested in more info on this topic.

[athenian200]

^ I've work 12 years now for a software developer that is a one person operation out of his home that accounts for virtually his entire income and been doing it for well for over 20+ years (that does have a very large customer base, however, mostly specific to one product) that certifies his ownership and would never in the very least consider publishing as "unknown" not only because of the impact it would have on his current customer base, but most importantly the impact this would have marketing his software.

Very well, that only refutes my point about it being large software developers, but it brings another VERY important point to mind, namely that he is being paid enough to make this his full-time job. I'm developing Epyrus as a hobby and I make no money from it, and I imagine the same is true for Basilisk-Dev and his browser. To be perfectly blunt, if this is an expectation users have, then they need to be paying us so we can afford to make it "look more professional." Otherwise, it's not fair to ask this.

I've discussed this with the developer I know and according to him the cost is currently anywhere between $100 - $60 per year, depending upon whether the agreement is on an annual basis or for up to 3 years.

https://comodosslstore.com/code-signing ... ertificate

I'm afraid that's just not true... if it were that inexpensive, I would have one. The going rate seems to be closer to $300 a year, and the lowest I've seen is $200 a year. Like I said, this is basically enterprise level security stuff, they are shipping hardware tokens, FIPS compliant modules... they are not playing around, this is the high-grade stuff that is not realistic for normal people to afford.