Concerned about the integrity of the web installer I used

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

catinahat

Concerned about the integrity of the web installer I used

Unread post by catinahat » 2019-07-12, 04:57

I read the "Data Breach Post-Mortem" post and I have concerns about the installer I downloaded and ran on one of my computers last year. It was downloaded & ran on 15-02-2018. The file name is "palemoon-websetup.exe" and it is 776KB and the version in the details states 5.2.0.97.

I was not very concerned initially as the post states it is only archived files affected and I would have downloaded it from the palemoon main website. However I ran a powershell script to get the hash details of the above and the SHA256 is: 286588A186ADFFD4719DBB725131DF17F06CFC5AB3F11B762635D7FDCB39942F . There does not seem to be any such hash number listed on https://pastebin.com/Lp27meQe (the page you linked to with clean hashes). I wondered if that was only because the page lists the full & portable 32bit & 64bit installers only, but then I saw on your downloads page on palemoon that the web installer has been removed due to a security issue.

So now I'm worried that the file I used was one of the infected installers. I do not recall my AV complaining when I ran the file, but obviously this a while ago so I may have forgotten.

Please could "Moonchild" or someone who knows about the web installer hashes advise me about the integrity of this file. It is detected by just one engine in virustotal: https://www.virustotal.com/gui/file/286 ... /detection

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Concerned about the integrity of the web installer I used

Unread post by Moonchild » 2019-07-12, 10:43

Web installers/stub installers are no longer used due to concerns about it insecurely loading dlls.
There is no use for this program anymore, as on-line installations are no longer a thing at this time. So, you can just delete it.

As for its integrity, the web installer was never archived on the archive server to my knowledge so should never have been compromised. Do note that all web installers were code-signed so it should have a digital signature if unmodified.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

xenarulz
Moongazer
Moongazer
Posts: 10
Joined: 2018-02-04, 21:58

Re: Concerned about the integrity of the web installer I used

Unread post by xenarulz » 2019-07-13, 11:11

I apologize for the dumb question.
I think I have never used the archive server, but i've been using PM for long and I'm not sure. I have run an antivirus scan and everything seems fine. One last thing remains to be done to be totally sure I'm ok, checking the hashes.
But I never checked the signature of a file and I dunno where to start regarding a program that's already being installed. The only times I did it it was after the download to see if it was ok, but once it's on, what do I do?
Once again apologies for the dumb question, could anyone give me a link to a site explaining the steps with simple words and little techincal language?
Thanks

PS the linux files are all ok, correct? I have a dual boot system... PM on both ends.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Concerned about the integrity of the web installer I used

Unread post by Moonchild » 2019-07-13, 13:04

To check the digital signature of a windows executable, right-click the .exe in explorer, select "properties".
It will have a tab "Digital signatures" for signed executables.
codesigned.png
As for your Linux question: Only Windows .exe files were affected, and at that only the .exe files of the installers and portables. (zip files and files *inside* the installers or archives were not touched, as I already stated a few times).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: Concerned about the integrity of the web installer I used

Unread post by therube » 2019-07-13, 14:06

It will have a tab "Digital signatures" for signed executables.
Potentially, even a corrupted file will have that too.
AFAIK (I know just about nothing about such things), but you'd have to actually click (Mark Straver) -> Details, & verify that "This digital signature is OK".
.
PaleMoon Hack - Digital Signature.png
.
.

Alternatively, a tool like sigcheck (for which there are GUIs too).

Code: Select all

Sigcheck v2.71 - File version and signature viewer
Copyright (C) 2004-2018 Mark Russinovich
Sysinternals - www.sysinternals.com

Y:\XOUT\DAILYMOTION\palemoon.exe:
	Verified:	The digital signature of the object did not verify.
	Link date:	07:23 PM 06/29/2019
	Publisher:	n/a
	Company:	Moonchild Productions
	Description:	Pale Moon web browser
	Product:	Pale Moon
	Prod version:	28.6.0
	File version:	4.3.0
	MachineType:	64-bit
https://docs.microsoft.com/en-us/sysint ... s/sigcheck
Verified: The digital signature of the object did not verify.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Concerned about the integrity of the web installer I used

Unread post by Moonchild » 2019-07-13, 14:18

I'm pretty sure if a file is not just hexedited/corrupted but actually infected with malware, that it actually no longer shows the digital signature (due to the fact that these kinds of file changes tend to destroy overlays and extra-data containers...)
At least the builds that were infected on the archive server no longer have a digital signature, at all.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
therube
Board Warrior
Board Warrior
Posts: 1650
Joined: 2018-06-08, 17:02

Re: Concerned about the integrity of the web installer I used

Unread post by therube » 2019-07-13, 14:21

Heh, OK thanks for the clarification (in your edit).
That makes more sense.

In any case, if there is a Digital Signature, it certainly can't hurt to take that extra step, click Details, & verify that is does in fact say, "OK".

-------

You're getting beyond me...

Just stating that the simple existence of a digital signature does not mean that it is valid, or that the file has not been tampered with.

Code: Select all

Sigcheck v2.71 - File version and signature viewer
Copyright (C) 2004-2018 Mark Russinovich
Sysinternals - www.sysinternals.com

Y:\XOUT\DAILYMOTION\palemoon-26.4.0.Atom.WinXP.installer (XP).exe:
	Verified:	The digital signature of the object did not verify.
	Link date:	12:50 PM 06/14/2013
	Publisher:	n/a
	Company:	Moonchild Productions
	Description:	Pale Moon
	Product:	Pale Moon
	Prod version:	24.x
	File version:	n/a
	MachineType:	32-bit
Y:\XOUT\DAILYMOTION\palemoon-26.4.0.Atom.WinXP.installer (XP).bak.exe:
	Verified:	Signed
	Signing date:	04:43 AM 08/15/2016
	Publisher:	Markus Straver
	Company:	Moonchild Productions
	Description:	Pale Moon
	Product:	Pale Moon
	Prod version:	24.x
	File version:	n/a
	MachineType:	32-bit


 Volume in drive Y is Y-NOT
 Directory of Y:\XOUT\DAILYMOTION

07/13/2019  10:16 AM        20,053,976 palemoon-26.4.0.Atom.WinXP.installer (XP).exe
08/15/2016  04:51 AM        20,053,976 palemoon-26.4.0.Atom.WinXP.installer (XP).bak.exe
               2 File(s)     40,107,952 bytes

Locked