Software-update: Pale Moon 28.12.0

Versie 28.12.0 van Pale Moon is uitgekomen. Deze webbrowser is ooit begonnen als een fork van Mozilla Firefox. Door optimalisaties voor moderne hardware en het weglaten van Accessibility features en Parental Controls presteerde hij toen een stuk beter. Ook was er een 64bit-versie beschikbaar, ruim voordat Mozilla deze zelf aanbood. Sinds Mozilla in versie 57 is overgestapt op Quantum, is er echter weinig meer dat de twee browsers nog verbindt.

Vlak voordat Mozilla met Quantum kwam, heeft het Pale Moon-ontwikkelteam de sourcetree van Firefox nog een keer geforkt en er de verbeteringen van Pale Moon aan toegevoegd. Zo is er bijvoorbeeld de lay-outengine Goanna, een fork van Gecko, waarvan nu de vierde generatie uit is. Daarnaast is er het Unified XUL Platform, dat kan worden beschouwd als een tegenhanger van het op Chromium gebaseerde Electron. De download van Pale Moon is alleen in het Engels; een apart Nederlands taalbestand is beschikbaar. De releasenotes voor deze uitgave kunnen hieronder worden gevonden:

Changes/fixes:

• Added controls for WASM to the browser's preferences, and enabled by default.
• Enabled various arbitrarily-disabled CSS functions.
• Added the use of basic path descriptors (i.e. polygon) to css clip paths.
• Implemented multithreaded request signal handling for the Abort API. Please see implementation notes below.
• Updated the included US-English dictionary, adding approximately 2500 additional words.
• Removed the DOM battery API. This was already disabled for privacy reasons for a long while.
• Fixed an erroneous warning displayed on toolkit-only add-ons like supplied dictionaries.
• Fixed an issue with the sessionstore tab load preference.
• Improved the generation of the names of downloaded files to prevent confusion. (CVE-2020-15658)
• Fixed a code issue with base64 encoding of data.
• Fixed 2 safety hazards in JavaScript. (One being CVE-2020-15656) DiD
• Fixed a spec compliance issue with regards to the cross-origin loading of scripts. (CVE-2020-15652)
• Improved the loading of a system DLL on Windows, preventing low-risk hijacking potential. (CVE-2020-15657) See implementation notes.
• Unified XUL Platform Mozilla Security Patch Summary: 4 fixed, 2 defense-in-depth, 15 not applicable.

Implementation notes:

1. In 28.11.0, we introduced the Abort API as new code. The implementation of it still had an issue where especially web workers would not always see the availability of abort signals on fetch requests while AbortSignal was implemented in the browser. This effectively made some websites (especially those using a particular polyfill for the Abort API that would detect the need to polyfill by way of Request.signal) throw errors that were fine before. We offered users a workaround by temporarily disabling the AbortController in the browser by way of a preference (dom.abortController.enabled).
   v28.12.0 fixes the multi-threaded handling of signals, which should solve these problems. As such, the workaround is no longer needed and upon upgrade the preference will be reset to enable AbortControllers again.
2. DLL-hijacking on Windows would only be possible if a malicious actor already either gained administrative access to the program's installation folder or otherwise have unrestricted access to the program folder (by having it installed in local application folders inside the user's profile space or other insecure program locations). In that case the system is already compromised and any executable can be replaced, so having dll loading hijacked would be the least of your concerns (i.e. the main program .exe could also be replaced/infected in that case).

DiD This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.