Pale Moon 27.9.4 browser released
The Pale Moon development team has released a new version of the web browser. The new version is a security and usability update and as such a recommended update for users of the browser.
Pale Moon 27.9.4 is offered through the web browser's automatic updating system and as a separate download. Pale Moon users select Pale Moon > Help > About Pale Moon to display the current version. A click on Check for Updates runs an update check; any new version found during the check can be downloaded and installed using the functionality.
Users who prefer to download the web browser manually instead can do so on the official project website.
Pale Moon 27.9.4
Pale Moon 27.9.4 introduces several usability improvements in the web browser. Users who had issues downloading and install extensions from Mozilla's official Add-ons repository should be able to do so again.
The new version updates the useragent for Mozilla's Add-ons website to circumvent the "only with Firefox" reminders when accessing the site with the Pale Moon browser. The change should provide Pale Moon users with theme and extension downloads on Mozilla's website.
The team removed references to Mozilla's add-ons store in Pale Moon in early 2018 to prepare for the inevitable removal of all classic add-ons from Mozilla AMO. Work on another browser, called Basilisk, began in 2017.
While Pale Moon users cannot install WebExtensions in the browser, the bulk of legacy add-ons should work fine. The Pale Moon team maintains its own extensions store on the official website.
Pale Moon restricts web access to the moz-icon:// scheme because it "could potentially be abused to infringe the user's privacy". Last but not least, the new version does include a fix for the preference file not being writable.
The new version of Pale Moon includes several security fixes and Defense-in-Depth changes:
- Prevented various location-based threats.
- Fixed a potential vulnerability with plugins being redirected to different origins (CVE-2018-12364).
- Improved the security check for launching executable files (by association) on Windows from the browser. For users who have (most likely accidentally) granted a system-wide waiver for opening these kinds of files without being prompted, this permission has been reset.
- Fixed an issue with invalid qcms transforms (CVE-2018-12366).
- Fixed a buffer overflow using the computed size of canvas elements (CVE-2018-12359).
- Fixed a use-after-free when using focus() (CVE-2018-12360).
- Added some sanity checks on nsMozIconURI.
Closing Words
Pale Moon users should consider installing the update as soon as possible as it includes security updates and other improvements. As always, it is advised to create a backup of the profile before the update is applied.
Now You: what is your primary browser, and why?
i have always loved your site!!
recently i downloaded several diff.palemoon android versions looking for the three dots….setings…..where to access my installed extensiins. i found out about dpi setting which is impossible on my phone without root. if there is any way….any….other way please help. have used palemoon my pc for years..thank you martin!!! ……want to use on my phone.
https://forum.palemoon.org/viewtopic.php?f=3&t=19524&p=144409&hilit=vista#p144333
Headline Reads:
Moonchild Promises Have Been Broken in v28
@Jody Thornton: “So you’d still be fine with NO NEW uBlock Origin for example?”
I would, particularly because I don’t use it anyway. I’m more of a NoScript guy (the older one, not the new one).
“But how do you attract new users to the browser?”
I’ll bet that PM gets new users on a regular basis (particularly after the release of Quantum). I don’t see any reason why that would change. But that’s just speculation.
“Seems like a lot of effort for little gain.”
Maybe, maybe not. I don’t know what motivates Moonchild. He might not measure success in terms of the number of new users attracted. There are lots of developers that spend lots of time and effort on niche products.
Also just in:
https://forum.palemoon.org/viewtopic.php?f=1&t=19727
I wonder how many Firefox extension authors will create specifically updated XUL based addons for Pale Moon, alongside WebExtensions.
I don’t know. I wonder how many Pale Moon users care? Personally, I use Waterfox, and I have all the XUL plugins that are of interest to me. If there is no new development of XUL plugins, I’m still fine.
So you’d still be fine with NO NEW uBlock Origin for example?
Just because a lot of devoted users don’t care; that’s one thing. But how do you attract new users to the browser? Is Moonchild going to go through all of the development pains of UXP and Pale Moon 28, just so he can cater to his few users that he has?
Seems like a lot of effort for little gain. :(
@Jody Thornton You can either deliver to
1) The mass user group and to please that guys you shall not feature a rich feature set because the large general user mass is not interested in anything “bloated”. Examples are Safari, Edge, Google with Chrome and since quite some longer time now also Opera and Mozilla.
2) Or the smaller amount of users who want features and everything what the raw mass is dismissing as simply “bloated”
Moonchild does deliver to group 2.
That is as valid as delivering stuff for group 1
But with that concept you have a clear problem somehow to grasp it as it looks like.
No @ Farid, I grasp the concept – thank you. I just think it’s a lot of effort for a moving target, that will eventually leave you out of options, especially once you cannot re-base from anything.
Besides, when did a browser first and foremost become a customization tool, and then a browser second? So it’s does seem like jumbled priorities. See Farid, I grasp the concept, and I STILL think it’s foolish.
And if user growth is of substandard importance? Then STOP saying “Your browser – Your way.” Because people will expect to use the browser in the fashion they want (other than just customization), and it won’t work with key sites.
@Jody Thornton it would be also foolish if Moonchild just would do what you think it is more recommended… remove everything rich feature wise and just make a simple modified generic Firefox clone like Waterfox is becoming soon.
It is not important how long Pale Moon is staying a compatible browser with today’s web – it is important that – as long it is around – stays true to what the people who use it want – delivering features and a rich customization set.
You are hellbent to demand that Moonchild also serves the simple users with for example DRM or webextensions. And as they are not doing that, you have a problem with the slogan “your browser – your way” – so the browser should be flagged.
Let me make the following comparison. This is like the following example:
A certain group become forced to distinct themselves from the others in a visible way because a majority has issues with them at one point in time. That large mass has a certain vision how a group should be and as that smaller group is “different” they are forced to be outcast and expelled because the large group is thinking the small one has not earned it to be around and being called ans seen as ordinary.
What i want to say with this:
Just because you and others have issues with how the browser portraits it to the world outside in a certain way there is no reason why the page should not use certain wordings or phrases.
People can try out and if the browser does not fit their needs, they can use a different one.
But demanding that a project or a group has to be in a certain kind of way and if they are not – they should be forced to show that to the public…
Actually we had something of that already in the past. And it was at that point VERY BAD and it is today VERY BAD.
So, be careful what you are talking about.
@Farid:
I need not be careful what I say. If I wish to express my thoughts about marketing of Pale Moon, then I’ll have at it. Hell bent and Proud! Thanks for noticing Farid!
You might be careful about referring to Chrome/Fox users as simple. That’s plain disparaging. As for me, I just pick on a browser now. I even complimented v28 on this thread or maybe another one.
@Jody Thornton It seems you have mistaken the meaning of my post.
Perhaps i should be simple and blunt – i was talking about somewhat fascist flavored opinions – no matter in which form, way or amount – this applies also to opinion about minor browser projects – who refuse to be like the majority wants them to be – in the least worst case you can call that at least extreme bias/prejudice.
But the concepts are not too much different as one may be thinking. Also, simple is the right term. Why should one call users who prefer mainstream/minimalism/simplicity not simple one’s? As that is exactly what they want and demand and love?
The same way you could not call a power user a simple user, as they love the opposite of it.
That is the point what i wanted to present. No offense meant – All what was before unclear now understandable?
Well in better news – v28 final is out today
People who hate the annoying Goggle pseudo add-on technology called webextensions (extensions which can only be used to tinker with web content but not the depth of the browser UI) and power users in general – which Mozilla has abandoned and is still abandoning will for sure discover and use Pale Moon – at least the ones who will not switch out of protest to Chrome or Vivaldi.
User growth and advertising is not the main goal of Moonchild, so they do not care at all how many users are using Pale Moon, they care more that the ones who do have an as good as possible working browser experience… at least what can be done with limited possibilities.
FF and woolyss Chromium, the no webRTC, etc version. Some of the old type FF add ons have been updated to AMO versions. One of my favorites is New Tab Homepage, opens your homepage when a new tab is opened from the toolbar. My homepage is Duck Duck Go (could be google, etc) so a new tab equates to a new search page. Allows search bar to be removed so you can add more visible buttons.
There’s a trick to do the same in chrome, it can’t be done by changing settings or with extensions I’ve seen. In either browser, learning the config and flag settings is very useful.
I think Pale Moon represents a good alternative to browser to some recent browser trends, and seems to serve a small but loyal audience.
However, the big questions about their future, to me are:
1. Can the relatively small group very ideological that works on it really keep up with the ever-evolving modern web and stay able to render all the modern websites people need to keep it as their primary browser?
In the past, they’ve needed to “rebase” from Firefox at least twice, in part because their browser was not rendering or allowing users to correctly interact with sites. However, they’ve said they absolutely refuse to go from the pre-Quantum Gecko derived Goanna engine to something Quantum-era Gecko-based, so that means they really are going to have to put a ton of time and work into their browser’s rendering engine constantly, a job that their larger competitors probably have an exponentially greater number of people working on than Pale Moon does on the entire browser.
Their new attempt to sort of do a broad backend that several projects can work on simultaneously and pool people to do, and then have each hook into their own program’s UI, is a very intriguing potential solution, but so far as I know, only the two web browsers they develop have signed up. They need some talented people with their own projects to adopt that platform if it’s going to succeed via defacto pooled development resources. The Waterfox guy apparently turned them down flat. So, that’s wait and see, but not looking good so far.
Also, they are against EME DRM and Wildvine, and don’t even have them available as an add-on, so when Flash and Silverlight fallbacks are eliminated for things like Netflix, that’s going to be a problem for Pale Moon attracting users to their browser who like to watch web video (Which is something a lot of people like to do).
2. There are only a very limited number of add-ons that are really being maintained *for* Pale Moon. Beyond those, they can only use select old Firefox add-ons that are unmaintained, and may not be available at all soon (Firefox has moved on to a webextensions).
The only two solutions to Pale Moon’s attempt to, as their slogan says, offer “your browser, your way” that work long-term, it seems to me, would be to either adopt web extensions, which they say they don’t want to do, or build a ton of options into the browser Vivaldi style, which they haven’t suggested as an option yet.
In theory, there is a 3rd option of “Get a bunch of people to develop and maintain a huge ecosystem of add-ons for Pale Moon”, but I think they’ve been trying to do that, and the developers aren’t interested.
3. Sometimes their top people are their own worst enemies. There was a big thing where one suggested that people who use the browser without making fiscal contributions are freeloaders, and refused to apologize. That’s bad enough just as a thing to say- if you offer something for free, people can use it for free, and if you as a developer don’t like it, tough. However, it’s a double-whammy because everyone who finds that offensive can say, “You know what? The people behind Edge, Chrome, Firefox, Safari, Vivaldi, Waterfox, and whatever else never called me a freeloader (that I know of). They want me to use their browser for free. One even has a rewards program where they essentially pay me. See ya”.
There also seems to be a very conservative slant to some of what they say in official capacities on their forums and such. I don’t care about political ideology of browser makers in theory (If you make a good browser, you make a good browser), but I can tell you I had a tough time there on their forums as a liberal. There was so much like “Firefox people love Hillary and hate Trump” stuff that for a liberal, it actually made me feel like Firefox was the browser I should be using. :) Pale Moon might want to consider being a bit more neutral in its messaging.
Anyway, haven’t used Pale Moon in a long time now, but those are from what I can tell the general issues facing it. Since a diverse ecosystem of browsers that run different ways is what’s best for the end user, I’d like to see them manage to hang on. They’ve got a tough road ahead of them, though.
“Beyond those, they can only use select old Firefox add-ons that are unmaintained, and may not be available at all soon”
Existing XUL extensions aren’t going to suddenly vanish. They’ll remain available for a very, very long time to come.
If those extensions aren’t maintained, though, they represent potential security risks. With a lot of people running everything they do financially, at work, at school, with their health (A lot of doctor’s offices and pharmacies are letting people route medical questions, scheduling appointments, billing, prescription renewals, etc. online), government services and tax forms, and so on and so forth through their computers and other connected devices these days, it’s hard for many people to risk the security of their devices on extensions or software that don’t get security updates. The Pale Moon browser gets security updates, and the few extensions that are maintained for their AMO probably do as well, but the old Mozilla Firefox ones not in the AMO are largely unmaintained (Or, rather, maintained as only webextensions now, which means defacto unmaintained for Pale Moon).
Part of the switch to webextensions from XUL was justified by Mozilla by saying that XUL was less secure because it allowed developers too much latitude to alter fundamental things in ways that were hard to monitor. Now, that may or may not be correct- I would gather that Pale Moon folks, for one, would say that’s a bunch of bunk. Maybe it is a bunch of bunk. I don’t know. But what’s I would think widely agreed on is that an add-on, of any format past or present, or regardless of format, is always a potential security risk if it isn’t being actively maintained.
I guess there’s a “security through obscurity” thing where we might ask “Who’s going to be developing stuff that targets security holes in old Firefox add-ons only used by Pale Moon (and maybe Waterfox and/or some other Firefox forks) users?”. However, it’s possible that someone exploited a hole before the end of XUL use on the main Firefox branch, after the developer had moved on to working on the webextension version, or that the patch came as part of the switch. It’s even possible an extension developer missed it, and then of course stopped looking when he switched to web extensions, whereas perhaps he may have found it had he still been maintainining a XUL version. I would imagine that stuff sticks around- just a guess, but I would think there are probably still odd corners of the Internet were people never got around to taking down malware that hits browsers Netscape Navigator or Internet Explorer 5, and OSes like Windows 95 and XP. At some point, the bad guys probably have put their development time in and even if whatever they put out there only infects a machine or two once in a while, they might just leave it since they’ve already done the work.
I don’t know, I feel like it’s something that’ll have to be dealt with by Pale Moon and similar browsers somehow. Maybe the answer is developing web extension compatibility so people can use all the latest maintained stuff, but then also having XUL for developers who want to develop specifically for Pale Moon and go beyond what the web extension format allows them to do (i.e. People who want to develop complete theme extensions and whatnot). But who knows if that’s even possible. Quantum and the Rust programming language sound like massive divergences from the previous Gecko and it’s programming language, which Goanna (Pale Moon’s engine) evolved in a different less radical direction from.
They might have to do something like have an entire Quantum/Rust compatibility layer to get web extensions to work at all. On the plus side, if they went that route, they could also potentially use that layer to maybe have a “Firefox compatible” mode, a toolbar button you could click to reload a page with Quantum if it doesn’t render correctly in Goanna, similar to the old “IE tab” Firefox used to have as an add-on, but without needing to have Firefox installed or messing with a Firefox install that one might also have- using a second rending engine within the browser.
A second rending engine would probably make the browser take up a lot more hard drive space, but that doesn’t seem like a big issue in the age of 1 and 2 terabyte hard drives. What would be tricky is RAM and disk usage if they both had to load concurrently. These browsers already have a reputation for eating up a lot of RAM on low-RAM machines, and I can say the first thing to hit 100% usage in task manager on my last PC and my current PC was and is almost always disk usage- because I need a spinning hard drive to get the storage space I need, and it’s very slow compared to what even low and mid end processors and RAM can do with an SSD these days. Now, the solution is, if you need the storage space, and money isn’t an issue, have an SSD for the operating system and the programs, and an old-style hard drive for music, documents, pictures, videos, and other data, both in one PC, but that costs extra money, and not everyone can afford it.
Pale Moon seems to make a genuine effort to cater to low end hardware. I would say that, actually, Firefox does as well relative to Chrome (Firefox, for example, made the specific decision to have groups of tabs in separate processes rather than *every* tab as it’s own process because it’d be easier on old hardware. The easiest thing to do on old hardware is the old one process per *browser* method, which Pale Moon still has, but then the whole browser goes down if one tab freezes up, and there are fewer optimizations for better hardware. Firefox kind of splits the difference between the PM and the Chrome approaches- which at one point, they said was intentional, more or less- there was an article where they pointed out that their telemetry and use surveys showed their users were more likely to use older or lower end hardware than they thought, so they didn’t want to leave those folks behind, while still wanting to go to a multi-process experience, yielding the decision that led to what they do today, a reasonable middle ground.).
“If those extensions aren’t maintained, though, they represent potential security risks”
True, but that’s not some kind of killer argument that automatically means that using the old extensions is bad. It only means that you need to beef up your defenses.
“it’s hard for many people to risk the security of their devices on extensions or software that don’t get security updates”
Then those people shouldn’t use Pale Moon. I’m not seeing the problem there.
“Part of the switch to webextensions from XUL was justified by Mozilla by saying that XUL was less secure because it allowed developers too much latitude to alter fundamental things in ways that were hard to monitor. ”
Yup — but that’s a different sort of security issue. This argument, by the way, is the only one that Mozilla made that actually angered me. It’s an offensive, paternalistic, “you can’t be trusted to make your own decisions” argument.
“I would say that, actually, Firefox does as well relative to Chrome”
The problem with that argument is that you’re comparing it to Chrome. That’s fine if you’re talking to people who would otherwise use Chrome. However, I would venture to guess that most people using Pale Moon are comparing Quantum to pre-Quantum FF, not to Chrome.
Palemoon will be dead by the end of the year. It’s already behind the curve in terms of performance and web features.
Moonchild is always making promises that he can’t keep. And good riddance to the world.
“It’s already behind the curve in terms of performance and web features.”
I don’t use Pale Moon so can’t comment on it specifically, but I thought that I’d mention that there are plenty of users who aren’t as concerned with boosting performance or keeping up with web features as they are with other issues, so being “behind the curve” is not a death sentence.
@John Fenderson:
But that’s like saying there are a lot of people that are happy with 8-tracks for listening to their old music, but it’s still a crappy format.
I’d say Pale Moon 28 has some promise, if not for a year anyway.
@Jody Thornton
Maybe that’s a valid analogy, maybe not. Either way, it’s irrelevant. If someone is happy with their 8 track, they’re not wrong for being so and people who make 8 track players aren’t wrong for servicing those customers.
I’ve been using Pale Moon for about 6 years now, and in almost all that time there have been the naysayers. Guess what? Pale Moon is still here. And the new milestone version 28 will fix most of the “problems” people are griping about here. Have a nice day!
I second that.
Long live Palemoon
v27.9.4, one of the last or maybe the last version until the beta v28 becomes official. Even if with the v28 I found replacement for some add-ons not compatibles like “save file to” to “save image in folder”, still missing “add to search bar” and some others but not important. However I can not imagine Pale Moon without FTdeepdark, like with Windows I will stop upgrade.
I just dl’d 27.9.4, put it in another locale, moved my profile folder over and those that I have checked, such as “add to search bar” are working just fine. Hmmm.
I reluctantly dropped PM about six months back and we now use FFx. It was getting to be just too much hassle to get sites displaying correctly. Also not being able to install some critical security management add-ons forced me out.
It is still installed on our Ubuntu machines so I might give it one last update to try again. But I suspect it is too little too late as they seem to be falling farther behind faster. :)
What I’m starting to notice is we’re not hearing much anymore about Waterfox. I haven’t been to the blog or Reddit page lately, but usually there’s conversation about it here.
Off topic: Martin you don’t address the fact that Microsoft overtook Github.
You also do not inform us about the latest update of Waterfox, 56.2.2, which includes a lot of security updates, on July 14.
It is your project and of course I respect your choices. Just wondering.
I have been using Waterfox as my primary browser for some 6 months now and have been very happy with it.
As far as sandboxing, sandboxie free works great…never a problem in years. And since i really dont like change and mostly make them prove its better, i stick with an old Palemoon version 26.5. it does all the video downloading with zero problems and since i always run sandboxed and virus check downloads, again zero problems. running Palemoon 26.5 Portable…and off of a sandboxed flash drive…smooth and fast. all the extensions work and it looks and runs great. two computers, two people, running 8-10 hours a day for years, zero problems and we both constantly try many things online. so the thing is: new is not always better or faster or more secure…just newer in many cases. I know browsers are a personal issue and each to his own but this has and still does work wonderfully for us. I do weekly images with Macrium Reflect and keep the last three. Have done so for years. just my take anyway…Clas
Win7 pcs….fast and cool.
Pale Moon wil have to be thoroughly modernized to make it compatible with a number of essential Firefox add-ons for which there are no alternatives. I’ll give them another three months, otherwise it’s goodbye PM and back to Ffx (with a lot of privacy tweaks) for me.
Actually, you should try out the Pale Moon v28 Beta. I think the innards are close to Firefox x52 (being built on UXP). Compatibility and speed of rendering has vastly improved.
I wouldn’t even bother with Pale Moon v27.9.4 now. I only use that version on my Puppy Linux notebook, where I run Precise Puppy v5.7.1. It’s fine for that.
As for Pale Moon dying a quick death, I’d say it will be around for awhile. But for now, what I’m using is the special v28 Beta build by Roytam1, called New Moon. I’m running Vista on a soon-to-be decommissioned desktop, and it runs great on that. It will also work on XP too. The link below will take you to the thread on MSFN. Skip the real Pale Moon if you run an older OS, and just click here instead.
https://msfn.org/board/topic/177125-my-build-of-new-moon-temp-name-aka-pale-moon-for-xp/
I plan to roll over to my new PC in October and then I’ll switch to Quantum full time.
Pale Moon is my only browser since Firefox 50.0 days because I can keep the filters and add-ons that Mozilla was eliminating. I also use PM because of Moonchild’s focus on security and functionability over razzle-dazzle and shiny things. Just upgraded to 27.9.4 on W7 Pro, W7 Home and Mint19 Cinnamon systems with no problems.
Try asking Moonchild to show you the security tests the team performs.
I’ll save you the trouble; they don’t do any. It’s just code reviews and ‘good because it’s open source’.
That alone should concern anyone.
Oh, so we should take the word of a known troll instead?!
” post by Moonchild » Mon Jul 23, 2018 12:34 pm
Extensions need to be aware of the (proper!) handling of SSL statuses in UXP.
Plastering the raw suite in the cipherName field was a Mozilla bug (typo) but due to peer pressure from people who wanted to see this raw string in the Page Info -> Security dialog in the relevant bug, Mozilla never fixed this. We did.
If extensions want to be compatible with the originally intended implementation as carried in UXP and all its applications, they need to check cipherSuite to get the suite string for analysis.”
In the above instance, it appears to be Mozilla who don’t seem to care enough about Security-related issues.
If you’re the Satrow that’s a Mod on the Pale Moon forums, no doubt you can link to the security tests or even the team that performs them. I’m surprised you didn’t when replying here, but we all know why you didn’t, or more precisely can’t, because none exist.
Your silence speaks volumes and instead try to redirect the conversation.
I can’t link to security tests required/performed for individual or potential issues, they’re not usually in the public domain until some time after eg. Mozilla, has reached out to the Pale Moon team with details.
Digital security involves humans (often the weakest link, eg. the Avast employee who slipped up and opened the path to the CCleaner malware/security breach of a year ago), so highlighting any team member might lead to increased pressure and/or unforeseen problems; maintaining security requires many considerations across a very wide spectrum of potential areas to minimise the frontal area, etc.
Hi, can someone elaborate why these tests are important? Is there a reason why PM devs dont do it? Is FF superior to PM in security field because of that?
Hi,
how important is that? Could SB elaborate? Is there a real reason why PM devs don’t do it f.e. these tests dont reveal anything valuable anyway?
Why should people even use the only browser in the market right now with no sandboxing capabilities?
Sandboxing only would function optimally in a browser with e10s enabled.
Non-e10s web browsers like Pale Moon & Basilisk wouldn’t need any sandboxing – and this sandboxing code would be “dead” code.
> Non-e10s web browsers like Pale Moon & Basilisk wouldn’t need any sandboxing – and this sandboxing code would be “dead†code.
Yeah, a simple exploit leads to a RCE so no big deal – nothing to “see†here.
I originally uses Pale Moon, because you were able to achieve that old school Firefox 2/3 look, but it seems it would be harder with Basilisk and after that they will probably have to move to Quantum so it will be completely lost in time.
I kinda wish they could use the Quantum rendering engine, but use the UI of Firefox 2 and 3.
I have both as portable version, Pale Moon Portable and Quantum ESR from portableapps. With Pale Moon absolutely zero problems concerning features, and I have 40 add-ons installed. With Quantum I discover a bug each week, the first was my scripts only working with Tampermonkey I do not like, the last was jpg.part not removed. Old school browser 1, modern browser 0.
It’s not possible because Quantum does not support XUL. Moreover all XUL’s related codes will be removed starting from Firefox 62