How serious are security alerts?
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, UXP applications, and related, but don't have a more fitting board available.
Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
How serious are security alerts?
There was an exploit in the JIT compiler that was a "type confusion". Does this mean that an .exe file can pretend to be a jpg file? Will Pale Moon then open it?
Will Windows' User Account Control give me a prompt to block it?
Update: "when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion."
Apparently it doesn't mean file types but "objects" in code. Can a malicious person make Pale Moon automatically download and install a virus? What exactly is going on here?
Will Windows' User Account Control give me a prompt to block it?
Update: "when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion."
Apparently it doesn't mean file types but "objects" in code. Can a malicious person make Pale Moon automatically download and install a virus? What exactly is going on here?
Re: How serious are security alerts?
What you quoted is the type of problem this actively exploited vulnerability used.
The 'type confusion" is about what kind of data is stored in a specific block of memory. This can lead to problems, for example if something is written to that memory that isn't the wrong type and doesn't fit in the designated space for that type (a string of characters for example needs more space than a number).
Without going in too much technical detail, this kind of problem can lead to the program crashing in such a way that it could lead to the execution of code that a malicious person pushed to the browser via a web page; that code would be executed with the same rights as the browser program itself and could therefore lead to the downloading and installation of malware with the same rights as the browser's native program code.
In this case, to answer your question in the topic title, the alert was extremely serious because the vulnerability in question had "evidence of being actively exploited" meaning there were malicious persons out there that had taken this beyond a theoretical exploit and actually used it in practice in a malicious way. The same day this vulnerability became known to the browser vendors, the issue was already being used maliciously, hence the term "0-day".
It is therefore incredibly important that everyone updates their browsers immediately. This also goes out to everyone still hanging on to Firefox 52-ESR for legacy extension use: You are vulnerable if you continue using it! Mozilla will not provide a fix for this exploit in that ESR and I suggest in that case that you try Basilisk instead which would give you an almost exactly equal experience as Firefox 52-ESR, but with it building on a safe and patched platform.
The 'type confusion" is about what kind of data is stored in a specific block of memory. This can lead to problems, for example if something is written to that memory that isn't the wrong type and doesn't fit in the designated space for that type (a string of characters for example needs more space than a number).
Without going in too much technical detail, this kind of problem can lead to the program crashing in such a way that it could lead to the execution of code that a malicious person pushed to the browser via a web page; that code would be executed with the same rights as the browser program itself and could therefore lead to the downloading and installation of malware with the same rights as the browser's native program code.
In this case, to answer your question in the topic title, the alert was extremely serious because the vulnerability in question had "evidence of being actively exploited" meaning there were malicious persons out there that had taken this beyond a theoretical exploit and actually used it in practice in a malicious way. The same day this vulnerability became known to the browser vendors, the issue was already being used maliciously, hence the term "0-day".
It is therefore incredibly important that everyone updates their browsers immediately. This also goes out to everyone still hanging on to Firefox 52-ESR for legacy extension use: You are vulnerable if you continue using it! Mozilla will not provide a fix for this exploit in that ESR and I suggest in that case that you try Basilisk instead which would give you an almost exactly equal experience as Firefox 52-ESR, but with it building on a safe and patched platform.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How serious are security alerts?
Thanks for the info.
Would the malicious code be allowed through a firewall under the name "palemoon.exe"?
Or would the code be intercepted and considered to be a newly opened program?
Would the malicious code be allowed through a firewall under the name "palemoon.exe"?
Or would the code be intercepted and considered to be a newly opened program?
Re: How serious are security alerts?
It has nothing to do with firewalls. Imagine for example, an image file with executable code in the header that got executed as a result of this exploit because the browser incorrectly assumed that the file was indeed an executable (say a script) and ran it. There used to be similar exploits in the IE6 days.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: How serious are security alerts?
*sigh* This is not the kind of type confusion this particular exploit was about. Not "file type confusion" but "code object type confusion" in actual C++ code.moonbat wrote: ↑2020-01-12, 23:56It has nothing to do with firewalls. Imagine for example, an image file with executable code in the header that got executed as a result of this exploit because the browser incorrectly assumed that the file was indeed an executable (say a script) and ran it. There used to be similar exploits in the IE6 days.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How serious are security alerts?
I was thinking that since the firewall rule allows specifically "palemoon.exe" access to the internet, would there be a way to add another rule to block the malicious code?
If it's all considered the same process under windows task manager, then a basic firewall won't be able to stop the extra code, right?
Re: How serious are security alerts?
A firewall won't help you for this kind of thing; the malicious code would be executed as part of Pale Moon's process.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How serious are security alerts?
Is it possible for some sort of hash check to ensure the integrity of the core engine?
I'm guessing this would slow down performance if Pale Moon has to guard itself when visiting every website.
I appreciate your fast responses. I'm sorry for the newbie questions taking up your time. I can imagine it's like an automotive engineer talking to a customer, when it should be the local mechanic who handles these things.
I'm guessing this would slow down performance if Pale Moon has to guard itself when visiting every website.
I appreciate your fast responses. I'm sorry for the newbie questions taking up your time. I can imagine it's like an automotive engineer talking to a customer, when it should be the local mechanic who handles these things.
Re: How serious are security alerts?
Not possible. With this kind of vulnerability, all this happens in memory and the actual core engine isn't changed.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How serious are security alerts?
https://arstechnica.com/information-tec ... t=38507363
"Chrome is designed to assume there will be bugs and that even if you can freely execute cpu code in the webpage's process nothing bad will happen. Of course even that is not perfect but checking the CVEs it's about 10x less likely to allow a critical issue like this."
Apparently a fence can be raised around the webpage to rein in malicious code. Is it difficult to implement this feature?
"Chrome is designed to assume there will be bugs and that even if you can freely execute cpu code in the webpage's process nothing bad will happen. Of course even that is not perfect but checking the CVEs it's about 10x less likely to allow a critical issue like this."
Apparently a fence can be raised around the webpage to rein in malicious code. Is it difficult to implement this feature?
Re: How serious are security alerts?
I saw that comment, he's confusing this problem with multiprocess browsing (i.e. spawning a separate process for every new tab that is opened) that Chrome introduced. Firefox has implemented the same, so he is incorrect in that statement.person45 wrote: ↑2020-01-13, 09:26https://arstechnica.com/information-tec ... t=38507363
"Chrome is designed to assume there will be bugs and that even if you can freely execute cpu code in the webpage's process nothing bad will happen. Of course even that is not perfect but checking the CVEs it's about 10x less likely to allow a critical issue like this."
Apparently a fence can be raised around the webpage to rein in malicious code. Is it difficult to implement this feature?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: How serious are security alerts?
What they refer to is multi-process browsing and process sandboxing, which Firefox also employs (Electrolysis), and it's clear that that did not stop this vulnerability! A similar issue in Blink would be just as critical.
It's nice to spin this into a PR push of course, but they should stop trying to kick the puppy.
On top, multi-process browsing itself exposes a much larger attack surface internally because all data has to be passed back and forth between processes through a messaging system (IPC). For the record, Mozilla has had to patch over 75 electrolysis-specific security vulnerabilities (marked as such and only insofar I have marked them when auditing sec bugs) since they introduced it, most of which were high or critical security rating... I'm gathering for Chrome it would be the same.
If you want to talk about type confusion issues, that risk is much greater when using IPC because the sending and receiving end are disconnected and what in a single process would be one variable of one type (and confusion therefore isn't possible since it's literally the same object) needs an exact match in the content and master process or you'd have the same issue (in the master process, meaning with elevated privilege).
I hope you can still follow all this
It's nice to spin this into a PR push of course, but they should stop trying to kick the puppy.
On top, multi-process browsing itself exposes a much larger attack surface internally because all data has to be passed back and forth between processes through a messaging system (IPC). For the record, Mozilla has had to patch over 75 electrolysis-specific security vulnerabilities (marked as such and only insofar I have marked them when auditing sec bugs) since they introduced it, most of which were high or critical security rating... I'm gathering for Chrome it would be the same.
If you want to talk about type confusion issues, that risk is much greater when using IPC because the sending and receiving end are disconnected and what in a single process would be one variable of one type (and confusion therefore isn't possible since it's literally the same object) needs an exact match in the content and master process or you'd have the same issue (in the master process, meaning with elevated privilege).
I hope you can still follow all this
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How serious are security alerts?
I saw the rest of that thread - all claiming that moving their code from C++ to Rust will fix all these problems
If it ain't broke..
If it ain't broke..
Off-topic:
Meanwhile, I've been going through XUL/XPCOM documentation or what's left of it - and it is a disgrace that in more than a decade they couldn't hire anyone competent to complete the damn thing, let alone structure it properly while tilting at windmills with dozens of now defunct projects in addition to this whole Rust and e10s.
Meanwhile, I've been going through XUL/XPCOM documentation or what's left of it - and it is a disgrace that in more than a decade they couldn't hire anyone competent to complete the damn thing, let alone structure it properly while tilting at windmills with dozens of now defunct projects in addition to this whole Rust and e10s.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: How serious are security alerts?
It won't. Rust is not a magic wand to fix bad coding or mistakes. In fact, Rust isn't strongly-typed and the moment you have inferred types, this very same problem can occur.
Also, I don't think Rust is at all suitable to implement any sort of fast paths that require the low-level gritty but raw power of C++ and assembler. A JavaScript interpreter/compiler written in Rust? A laughable idea, I think.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How serious are security alerts?
Would it be safe to assume that this is more of a threat to windows users rather than linux or does it not matter.?.
Apparently mozilla are attempting to copy the sandboxing model of chromium but this dependent on operating system used and i was under the impression that firefox had already attained this or i am possibly wrong.
Apparently mozilla are attempting to copy the sandboxing model of chromium but this dependent on operating system used and i was under the impression that firefox had already attained this or i am possibly wrong.
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup.....
Pale moon 29.4.1
Pale moon 29.4.1
Re: How serious are security alerts?
They have, that was what they called 'Electrolysis' or e10s, and the reason given for dropping XUL. Firefox has been multi-process like Chrome for a while, but I guess their codebase must be a mess now from the drastic changes, to say nothing of this move to Rust.
Doing everything with Javascript is the new fashion these days - combined with using the browser for everything, which seems to be why they're throwing everything and the kitchen sink into the HTML standard from Dolby sound to gamepad support to VR.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: How serious are security alerts?
I am a Linux user and I would not take that chance.
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story
Re: How serious are security alerts?
Definitely not safe to assume that. In fact, by far the biggest volume of crashes has been on mobile (Fennec on Android) according to the bug stats, so what is safe to assume is that this was actively exploited on all platforms with heavy bias towards *nix-like.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: How serious are security alerts?
Oh crap. I just switched to Fennec on my phone a few days ago. They'll take their own time to patch it, looks like. Current version says 68, but I don't know if it's in sync with desktop Firefox.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Re: How serious are security alerts?
It's fixed in 68.4.1
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite