Pale Moon 27.9.2 security update released
Pale Moon 27.9.2 is the latest version of the web browser; it was released yesterday to the public and is already available via the web browser's automatic update functionality.
The new version of Pale Moon fixes several security issues in previous versions of the web browser and improves stability as well.
Existing Pale Moon users may select Pale Moon > Help > About Pale Moon to display the installed version of the browser. A click on the "check for updates" button checks for a new version which may be downloaded and installed automatically when found.
Users may download Pale Moon from the official website as well if they prefer that.
Pale Moon 27.9.2
The security fixes matches patches that Mozilla released for Firefox ESR 52.8 and Firefox 60. Some security patches are not integrated because they might fix issues that Pale Moon is not affected by; this is the case for features that are not part of Pale Moon.
Pale Moon shares code with the Firefox web browser, and it is usually the case that the Pale Moon team releases security updates for the browser shortly after Mozilla releases a new Firefox release with security updates.
Pale Moon 27.9.2 addresses the following security issues:
- (CVE-2018-5174) Moderate Prevent potential SmartScreen bypass on Windows 10. Affects Firefox on Windows 10 April 2018 Update machines only. Pale Moon (and Firefox) associated a flag with downloaded files that bypassed SmartScreen verification.
- (CVE-2018-5173) Moderate Fixed an issue in the Downloads panel improperly rendering some Unicode characters, allowing for the file name to be spoofed. This could be used to obscure the file extension of potentially executable files from user view in the panel.
- (CVE-2018-5177) Moderate Fixed a vulnerability in the XSLT component leading to a buffer overflow and crash if it occurs.
- (CVE-2018-5159) High Fixed an integer overflow vulnerability in the Skia library resulting in possible out-of-bounds writes which could lead to a crash and potential exploit by web content.
- (CVE-2018-5154) High Fixed a use-after-free vulnerability while enumerating attributes during SVG animations with clip paths that may result in a crash and exploit of the crash.
Pale Moon 27.9.2 includes two additional improvements. The new version addressed several stability issues and memory safety hazards, and comes with changed language strings for softblocked items.