Pale Moon Version 25.8.0 Released with Security Updates

[Corrine]

Pale Moon has been updated to version 25.8.0.  The update is described as a security, stability and usability update.

Three of the security updates are identified as DiD, "Defense-in-Depth".  These fixes do not apply to actively exploitable vulnerabilities in Pale Moon.  Rather, the purpose of the updates is to prevent future vulnerabilities caused by the same code when surrounding code changes, exposing the problem.

Security fixes:

• Updated the libpng library to 1.5.24 to address critical security issues CVE-2015-7981 and CVE-2015-8126
  
• Updated the NSPR library to 4.10.10 to address several security issues.
  
• Updated the NSS library to 3.19.4 to address several security issues.
  
• Fixed a memory safety hazard in SVG path code (CVE-2015-7199).
  
• Fixed an issue with IP address parsing potentially allowing an attacker to bypass the Same Origin Policy (CVE-2015-7188).
  
• Fixed an Add-on SDK (Jetpack) issue that would allow scripts to be executed despite being forbidden (CVE-2015-7187).
  
• Fixed a crash due to a buffer underflow in libjar (CVE-2015-7194).
  
• Fixed an issue for Android full screen that would potentially allow address spoofing (CVE-2015-7185).
  
• Added size checks in canvas manipulations to avoid potential image encoding vulnerabilities like CVE-2015-7189. DiD
  
• Fixed potential information disclosure vulnerabilities through the NTLM authentication mechanism. Insecure NTLM v1 is now disabled by default, and the workstation name is set to WORKSTATION by default (configurable with a preference for environments where identification of workstations is done by actual reported machine name). This avoids issues like CVE-2015-4515.
  
• Fixed a potentially vulnerable crash from a spinning event loop during resize painting. DiD
  
• Fixed several Javascript-based memory safety hazards. DiD
  

For information on included fixes/changes, see the Release Notes.

[plodr]

As always, thank you Corrine.
Without your posts, I suspect our computers would not be up to date.  ;D

[Corrine]

Fortunately, ky331 also keeps track and frequently gives me a heads up.  (He is also pretty good at catching my mistakes!)

[plodr]

This is interesting. I updated 4 Win 7 computers last night and as always, I also check for addon updates and do them.

Later my husband brings his laptop to me and shows me this ad floating on top of his Juno webmail page. It wants to "fix" his computer! Fortunately, he never clicks on anything he doesn't understand. I keep clicking NO which does absolutely nothing. Of course the large green fix it button is highlighted. I stare closely at the box and in very tiny letters at the lower left it says reimage dot com. I remember this as being snake oil.

Fortunately I was able to right click the ad and have AdBlockLatitude remove it. But I wondered why it wasn't blocked from the get go.

I have ABL on his two computers and I have AdBlockOrigin on my two computers because I'm testing this. I might change his addon to ABO.

Just to be sure nothing was on his laptop I scanned with MS Security Essentials and MBAM. Nothing was found, not even PUPs.

[Corrine]

Pale Moon Version 25.8.1 has been released to address two important issues.  Although no security updates are included, it is recommended that the update be installed.

Pale Moon - Release Notes

[plodr]

Putting on my computer to-do list. Thanks.