Hacker News new | past | comments | ask | show | jobs | submit login

With Pale Moon the largest risk is that as far as I know the ESR branch they forked away from no longer gets security patches from Mozilla.

So you probably don't need to do effort to find a 0-day, just browse old Mozilla CVE disclosures.

I'm sure they at least attempt to patch these, but it's often all too easy to screw up a patch and leave some part of the vulnerability still exposed. Look at what happened when Google tried to patch the stagefright vulnerability.

Again with the FUD? I've witnessed the last couple big 0-day discovered by the Tor people were patched in Pale Moon before Mozilla pushed out theirs for Firefox.

edit: I'd reply to your response below normally but apparently I don't get to reply to any comments on HN anymore. The reply button has disappeared. When I log out of my 5 year old/458 karma account it's back. I guess my opinion isn't wanted here.

You have a good point there. I bet a least a couple of those are present. But you've also completely missed my point. When looking through the FF known vuln list the vast majority are for things like WebRTC, WebGl, and other attack surfaces that Pale Moon intentionally avoids.

The whole point of my post, which you seem to have completely and utterly missed, was that you don't need 0-days for exploiting Pale Moon. Every single Mozilla CVE published from Firefox 38 to Firefox 50 is potential issue for it. The amount of 0-days in there is exceedingly low, but amount of CVE is very high, because Mozilla publishes CVEs for security bugs they find themselves. AFAIK Google also does this, but Microsoft doesn't.

This isn't FUD. You can literally go read the list:


I count over 174 fixed vulnerabilities and stopped at version 48. Yes, some of these might not apply to Pale Moon because they're new vulnerabilities or it has the relevant feature disabled. You think anyone did the work to go through them all? Let alone backport the ones that are relevant?

Mozilla used to do this work for Pale Moon by virtue of still backporting the most important ones (i.e. not all) to ESR38. Not any more. Good luck!

the vast majority are for things like WebRTC, WebGl, and other attack surfaces that Pale Moon intentionally avoids

Pale Moon supports WebGL nowadays. It's needed for a few things like Google Maps to not suck. Of course, the implementation is outdated, which is perhaps what made you think it's not there...

Pale Moon does not completely ignore these though as you seem to be suggesting, they indeed do at least try to patch these.

And I'm betting most of the time they succeed. There may be a few weird ones with edge cases that they've screwed up though and some subset of the vulnerability is still possible.

Scroll through Mozilla's security announcements, pick ones at random, find the patch that fixed it and see if it ever got applied to Pale Moon. In many cases they haven't.

I have pointed out many of these and argued with Pale Moon devs about it. "Moon Child" believes they don't need to apply patches if they can't replicate the PoC from Mozilla's bugzilla.

These are things that are obviously vulnerable and need to be fixed (such as missing bound checks in the XML parser).

If someone ever cared enough to target Pale Moon users they would have an absolute field day with all the known Firefox vulnerabilities they could use.

The reply button has disappeared.

HN delays the visibility of the reply link on threads that seem to be getting too deep too quickly.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact