Highly critical

Pale Moon Use-After-Free and Security Bypass Vulnerabilities

-

Release Date:  2012-07-19    Views:  5,001

Secunia Advisory SA49981

Where:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Impact:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Solution Status:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Software:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

CVE Reference(s):

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Description


Two vulnerabilities have been reported in Pale Moon, which can be exploited by malicious people to bypass certain security restrictions and compromise a user's system


Log in with your Secunia community profile to view the full description of this Advisory. If you are an IT security professional, request a trial of the Secunia VIM.

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Pale Moon Use-After-Free and Security Bypass Vulnerabilities

User Message
howiem9999 RE: Pale Moon Use-After-Free and Security Bypass Vulnerabilities
Member 30th Aug, 2012 01:18
Score: 2
Posts: 31
User Since: 8th Dec 2008
System Score: 100%
Location: TH
Last edited on 30th Aug, 2012 01:18
PSI3 latest version is trying to autodownload and install Pale Moon 12.3, but it appears to be stuck and not updating anything. Perhaps that is because the latest version of Pale Moon is 15.0

--
howiem
Was this reply relevant?
+0
-0
howiem9999 RE: Pale Moon Use-After-Free and Security Bypass Vulnerabilities
Member 30th Aug, 2012 01:47
Score: 2
Posts: 31
User Since: 8th Dec 2008
System Score: 100%
Location: TH
Last edited on 30th Aug, 2012 01:47
PSI3 latest version is trying to autodownload and install Pale Moon 12.3, but it appears to be stuck and not updating anything. Perhaps that is because the latest version of Pale Moon is 15.0

--
howiem
Was this reply relevant?
+0
-0
Anthony Wells RE: Pale Moon Use-After-Free and Security Bypass Vulnerabilities
Expert Contributor 30th Aug, 2012 14:56
Score: 2470
Posts: 3,359
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 30th Aug, 2012 15:09
HI ,

As support have not responded and according to the Pale Moon Release notes version 12 is "discontinued" and version 15 includes "security fixes" :-

http://www.palemoon.org/releasenotes-ng.shtml

plus ,Secunia are loathe to update across platforms when "both are supported and or secure . I would suggest you contact support@secunia.com direct by email and advise them of this detection problem .

EDIT : Do you 1)have version 15 loaded and detected by the PSI and/or 2) also have an old file of 12 that the PSI is reacting to ??

Which version of the PSI areyou using ??

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
howiem9999 RE: Pale Moon Use-After-Free and Security Bypass Vulnerabilities
Member 30th Aug, 2012 21:09
Score: 2
Posts: 31
User Since: 8th Dec 2008
System Score: 100%
Location: TH
Hi Anthony,
I am using PSI 3.0.0.3001 which I downloaded and installed on 27 July 2012.
You are right, I did have a second installation on my C drive (V. 12) which I just uninstalled after seeing your note. However, I ran a new scan with PSI and it is still detecting version 12 on my D drive even though I had installed version 15. One strange thing was that although properties initially showed version 15, after I removed version 12 from the C drive, the D drive installation began showing version 12.x. I finally removed Pale Moon completely and did a cleanup and PSI no longer detects it.

Thanks for the quick response.

--
howiem
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.