How serious are security alerts?

General project discussion
Forum rules
This General Discussion board is meant for topics that are still relevant to Pale Moon, web browsers, browser tech, and related, but don't have a more fitting board available.

Please stick to the relevance of this forum here, which focuses on everything around the Pale Moon project and its user community. "Random" subjects don't belong here, and should be posted in the Off-Topic board.
User avatar
mtosev
Moongazer
Moongazer
Posts: 13
Joined: 2019-04-27, 21:06
Location: slovenia, eu

Re: How serious are security alerts?

Post by mtosev » 2020-01-13, 16:40

Thanks moonchild for explaining this particular exploit. I have also read your post where you explain how you get access to mozilla's code and how you then patch the code with relevant updates that apply to your browser.
I have just one quick question: this has nothing to do with meltdown or spectre security issues, correct? thx
Last edited by mtosev on 2020-01-13, 16:48, edited 1 time in total.

vannilla
Keeps coming back
Keeps coming back
Posts: 825
Joined: 2018-05-05, 13:29

Re: How serious are security alerts?

Post by vannilla » 2020-01-13, 16:47

No.
If I remember correctly, Pale Moon could never be used for Meltdown attacks because the exploit had already been patched before the vulnerability was exposed.
I might be incorrect in a few points, but due to people constantly using those two names, it's kind of difficult to find the exact post by Moonchild.

User avatar
JakeF
Moongazer
Moongazer
Posts: 8
Joined: 2019-05-21, 15:49

Re: How serious are security alerts?

Post by JakeF » 2020-01-13, 18:30

This latest security alert, and they seem to be never ending no matter the browser, underscores --at least for we Linux [+] users-- the security using an OS that runs from a file, or a containerized or sandbox capable OS like Qubes or EasyOS. If something goes sideways with one of my file based OSes, I just delete it and paste in the backup. Easy can sandbox the whole desktop, and when you're done, it's all gone. Qubes I have yet to try. Of course another way is to remaster a Linux ISO the way you want it set up and then run it live in RAM. KolibriOS also seems very secure as it is written in FASM and should not be vunerable to anything, and it's only 27MB large and boots in about 5 seconds. I have not tried the latest. Oh, I still have no problems running Opera 12, but now it is so long in the tooth it will not run quite a few A/V junks; but just surfing for info? Often nothing faster or better.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25753
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 18:37

It also completely misses the point that arbitrary code gets executed no matter how the OS is set up. Sure it may be easier to recover from corruption once you've detected that something is wrong, but the malware will still run in the meantime and do whatever bad thing the authors of it want, running happily on your hardware. it may be completely in RAM, and the malware still won't care; the only advantage then is that a simple reboot will remove it (until you get another infection the same way).
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

person45
Apollo supporter
Apollo supporter
Posts: 37
Joined: 2017-10-20, 07:00

Re: How serious are security alerts?

Post by person45 » 2020-01-13, 20:02

https://news.umich.edu/unhackable-new-c ... they-start
"With MORPHEUS, even if a hacker finds a bug, the information needed to exploit it vanishes 50 milliseconds later. It’s perhaps the closest thing to a future-proof secure system."

Would this be the way to prevent the browser from getting compromised? Or would malicious code still be able to take ownership of the program's rights?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25753
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: How serious are security alerts?

Post by Moonchild » 2020-01-13, 20:16

There is no such thing as a magic wand for sec vulnerabilities -- They simply have to be found and patched.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
JakeF
Moongazer
Moongazer
Posts: 8
Joined: 2019-05-21, 15:49

Re: How serious are security alerts?

Post by JakeF » 2020-01-14, 17:13

Since most of the maljunks in the world is for WinX OS, this makes running a non-Win OS more of a benefit. If, however, malware is written for cross platform apps or code like Adobe Flash, javascript --the most ubiquitious code-- or java, or other script then, who ya gonna call? The ability to turn off flash, script, java, yadda yadda yadda becomes important. PM now has several javascript blockers available with 'Block Content' the widest ability and other script blockers nice for just turning script off/on. Still use QuickJava since it works best. I have found it best to surf with script, images, and flash disabled and turn them on when wanted with PM. Unbeknowst to many with other browsers, FF for sure, one can turn off the aforementioned, as well as DRM, OpenH264, & Widevine and still browse nicely.

Unfortunately, the web as a whole wants to know who you are where you come from and where you go; so more and more sites will not function without all the junks that allow tracking, spying, etc. For instance, I've a jazz site that I listen to, it will not function without DRM in FF, but plays just fine in PM. Why, I haven't bothered to find out. I have noticed that sites with real info that I want more often than not function with text browsers. That's because real info is in words. Pictures can only be understood if you have the words, whatever your language, wherein to understand the pictures or vid. The web will become more null-A as time goes by.

person45
Apollo supporter
Apollo supporter
Posts: 37
Joined: 2017-10-20, 07:00

Re: How serious are security alerts?

Post by person45 » 2020-01-14, 22:10

Moonchild wrote:
2020-01-13, 13:13
the biggest volume of crashes has been on mobile
Are crashes required for this malware to work? Or does it work silently in the background?

I know that a hijacked computer can have a high cpu usage for cryptocurrency mining. Would frequent crashing of a program be another clue?

Post Reply