Tuesday, October 08, 2024

Pale Moon Version 33.4.0 Released with Security Updates

  Pale Moon Pale Moon has been updated to version 33.4.0.  This is a development and security update.  

Changes/fixes:

  • Introduced the "ghostbuster" concept; this is an automated internal mechanism to attempt cleanup of particularly problematic web content after a tab or window is closed. See implementation notes.
  • Added support for the PROT_MPROTECT security feature on targets that use it (notably PaX and NetBSD).
  • Implemented preferences to give the user control over the Same-Origin Policy (SOP) and CORS preflight. See implementation notes.
  • Improved buildability on NetBSD and Altivec architectures.
  • Fixed building issues on Apple Silicon Mac with XCode 16.
  • Added workarounds for non-standard MSE/WebM/VPx encoding on YouTube that could cause video buffering and halting issues.
  • Dev: Changed the default credentials mode for module scripts from 'omit' to 'same-origin', aligning with mainstream.
  • Dev: Implemented getTransform and setTransform with DOMMatrix arguments.
  • Dev: Implemented ES2023 Hashbang grammar proposal.
  • Fixed an issue with JavaScript's StructuredClone.
  • Security issues addressed: CVE-2024-9396.
  • Rejected: CVE-2024-9398 (properly informing the user about attempts to use unhandled protocols by web pages is considered more important than potential determination whether a handler for such a protocol is installed)

Implementation notes:

  • When very complex "modern" websites get closed by the user, it is possible that the browser is unable to properly release all the resources attached to it, especially those resources, modules and scripts that were part of Shadow DOM or complex interlinked module scripts. This can then result in "detached" web content and scripts that continue to use memory, have active event listeners and loaded scripts. Mainstream browsers are less affected by this as their multi-process setups will effectively "throw the baby out with the bath water" by simply killing the relevant content process. Since we don't have that luxury of a lazy solution to an architectural problem, we need to handle these so-called "ghost windows" resulting from this problem internally without restarting the browser process. This version of Pale Moon introduces the "ghostbuster" concept to try and address this: an automated, internal mechanism that periodically checks for the existence of ghost windows and severs links of them, so that garbage/cycle collection can come in afterwards and release the resources, hopefully preventing browser slowdowns and inflated memory usage over time. If this, for some reason, causes issues for you, you can disable the ghostbuster by setting the preference browser.ghostbuster.enabled to false. Also please report (in detail) on the forum about the issue you're having if flipping this preference to false resolves it, so we can look into improving this new feature.
  • By user request, primarily for advanced power users who need this for their local setups, 2 new preferences were introduced to control how the browser deals with same-origin and CORS.
    • security.same_origin_policy.enabled, when set to false, will completely disable checking if scripts are allowed to be loaded based on the same-origin policy. Security warning: this is a really bad idea on the open web and you should never blanket disable the Same-Origin Policy check in a web browser for normal use.
    • content.cors.bypass_preflight_request, when set to true, will no longer send CORS preflight requests or check preflight responses and always allow cross-origin requests. Note that this kind of request is normally only made if sending a request to a server might result in data changes server-side (e.g. POST). This preference only does something when CORS is already disabled; provided primarily for specific corner cases where CORS is disabled and preflight checks (providing an extra safety net for server data) need to be shut off too.
    There are dragons hiding in these two preferences. Please handle them responsibly.

*DiD: This means that a fix is "Defense-in-Depth": It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

**Rejected security patches: This means that patches were theoretically applicable to our code but considered undesirable, which could be due to unwanted changes in behavior, known regressions caused by the patches, or unnecessary risks for stability, security or privacy.

Pale Moon includes both 32- and 64-bit versions for Windows: Pale Moon for Windows downloads.

Update: To get the update now, select "Help" from the Pale Moon menu at the upper left of the browser window.  Select About Pale Moon > Check for Updates.

Release Notes
Release Cycle


Remember - "A day without laughter is a day wasted."

No comments: