Pale Moon's Archive Server hacked and used to spread malware

Martin Brinkmann
Jul 11, 2019
Updated • Jul 15, 2019
Internet, Pale Moon
|
99

The Pale Moon team announced on July 10, 2019 that its archive server was hacked and used to spread malware.

The team detected the breach on July 9, 2019 and shut down the archive server immediately to prevent further infections with malware. An analysis of the issue revealed that the infection most likely happened on December 27, 2017.

Update: Further analysis into the issue by the Pale Moon team revealed that the breach was likely more recent than initially assumed. Estimates suggest that the servers were breached between April and June 2019, and not December 2017. You can read the announcement here. End

The Archive server is used to serve older versions of Pale Moon; the browser's main distribution channels were not affected by the breach.

This never affected any of the main distribution channels of Pale Moon, and considering archived versions would only be updated when the next release cycle would happen, at no time any current versions, no matter where they were retrieved from, would be infected.

Additionally, the hacker infected only executable files of the browser and not files inside archives. Other programs hosted on the server, the web browser Basilisk, were not affected either.

pale-moon archive server breach

According to the post mortem, the issue affected all archived executable files of Pale Moon 27.6.2 and earlier.

The team's investigation in the matter was severely impacted by another incident on May 26, 2019 that caused "widespread data corruption" on the archive server to the point where booting or data transfers were not possible anymore.

The hacker managed to sneak a script on the server that would run locally to infect the executable files on the server. The infection increased the size of the executable by about three Megabytes and planted a variant of Win32/ClipBanker.DY inside the executable.

Running these infected executables will drop a trojan/backdoor on your system that would potentially allow further compromise to it.

Bleeping Computer notes that the malware creates a scheduled task on the system in the background while Pale Moon's installer runs in the foreground.

Users who never downloaded Pale Moon from the Archive Server (archive.palemoon.org) are "almost certainly in the clear" according to Pale Moon's announcement.

The team recommends that users who downloaded the browser from the official site or archive site run a full virus scan on their systems to make sure they are clean.  The infection signature is "known to all major antivirus vendors" according to the announcement; programs like Avira Antivirus, Avast Free Antivirus, BitDefender Free, or Kaspersky Free Antivirus.

There is also the option to check signature files or the digital signature of Pale Moon's executable. The digital signature is not available for all releases though so that its absence does not infer that the file is infected. The existence of a digital signature on the other hand is a clear indicator that the file is clean.

Archived versions of Pale Moon are accessible again on archive.palemoon.org.  Dates indicate that directories were created on July 10, 2019.

Closing words

Pale Moon's main distribution channel was not affected by the hack which means that most users were not affected by the issue. The team has not released any archive server statistics and it is unclear how many users were potentially affected by the breach.

Pale Moon users should run a full virus scan on the system to make sure that their devices are not infected.

Summary
Pale Moon's Archive Server hacked and used to spread malware
Article Name
Pale Moon's Archive Server hacked and used to spread malware
Description
The Pale Moon team announced on July 10, 2019 that its archive server was hacked and used to spread malware. 
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. dmacleo said on July 15, 2019 at 11:19 pm
    Reply

    iirc archive server was just index page on ftp server (IOW no forum/content management system) so wonder if this was ftp issue.

  2. Nicolas said on July 15, 2019 at 9:13 am
    Reply

    Martin

    Please update your post:

    “Archive server breach follow-up”

    With the help of some of our community members, we’ve been able to narrow down when the data breach occurred to a much more recent date: Somewhere between April (last known good state) and the start of June (when the server’s usability was destroyed) in 2019. It also makes a lot more sense this way as obvious infections would not go unnoticed for such a long time, normally, which was a very puzzling notion. The infection dates and times were obviously forged.

    This makes the actual risk for users who have downloaded from the archive server much less with the much smaller timeframe.
    Only old versions were infected, which either means this was on purpose or the hackers got interrupted. With the short timespan after before the server became inoperable, it’s likely they returned, doubled down, and destroyed the server to the point of non-bootability to hide their tracks.

    Please, still do treat anything you downloaded from archive.palemoon.org before with care. In case of doubt, delete the installer and fetch a fresh copy from archive.org or the newly set up archive server. As always I do recommend you only run the most recent version of Pale Moon to keep your browsing a safe experience.

    https://forum.palemoon.org/viewtopic.php?f=1&t=22553

    It’ll be great (helpful too) if you can make a post about this as well

    “Help us fund the Sync server”

    Pale Moon Sync is provided as a convenience service for Pale Moon users, allowing users to synchronize bookmarks, passwords and open tabs between devices/operating systems/installations. We do not charge for its use.

    The Sync server requires a decent amount of processing power on the server side to manage the over 5000 active(!) users it has now.
    This comes with a price tag even with the good deal we get from our VPS provider – the next bill for it will be coming up in August, and there’s currently no surplus budget to cover for it.

    Please help us cover the annual hosting costs for this server! If you are an active user of this service we kindly ask that you chip in.
    Without sufficient funding we will be forced to shut this service down.
    To donate: please use our ko-fi page:

    https://ko-fi.com/palemoon

    https://forum.palemoon.org/viewtopic.php?f=1&t=22560

    1. crambie said on July 15, 2019 at 1:01 pm
      Reply

      He did update the article but it’s not a post-mortem it’s a guess. They won’t need to worry about funding a sync server after this.

  3. Kubrick said on July 14, 2019 at 12:02 pm
    Reply

    If anyone had bothered to entertain moonchilds explanation the server security was not down to the palemoon team but in fact to the server supplier.
    I should add that there were instances of av programs detecting trojan behaviour in older installers and the users were informed to ignore them which is a cause for concern.

    1. ItsMe said on July 14, 2019 at 1:10 pm
      Reply

      Just making the same excuses for them doesn’t make it any better. As has been said in reply a number of times it’s not the breach (well it could be too but that’s not the main thing) it’s the lack of basic security to detect that something went wrong and not keeping data that would let you see rather than guess what happened.

      And yes, you’re correct, av’s do throw up false positives sometimes but you as a developer have the duty to make sure that they really are false and not just say they are without actually checking, which by all accounts happened.

      It’s certainly not the same as your example where there’s a false positive in software but that’s been checked and it really is false.

  4. Anonee said on July 14, 2019 at 4:27 am
    Reply

    Obviously, I have never touched Pale Moon since I don’t use hobby projects from some random dude who does it in his spare time.

    However, I have to ask – does he even digitally sign the installers? If so, then modifying the executables to inject malware would have invalidated the digital signatures on those files, so didn’t anybody notice?
    Or do people not bother to check the digital signatures (or even support them, like the Notepad++ dev who thinks they are an “overpriced masturbating toy” https://notepad-plus-plus.org/news/notepad-7.6.4-released.html)?

    1. Anonymous said on July 14, 2019 at 3:59 pm
      Reply

      He may be “random” and he may be a “dude”, but the “spare time” part is wrong. It’s his full-time gig and has been for years. He and his helpers obviously know what they’re doing; they’re not 12-year-olds in their parents’ basement trying to figure things out. Obviously they didn’t get this situation right, but I’m willing to assume they’ll do better in the future.

      And based on everything we know, there’s no reason to believe this went past the archive. Let’s not generalize this to every jot-and-tittle in the Pale Moon universe. All we have evidence for right now is the archive; let’s leave it there without more evidence, not to mention proof. The haters want to believe the worst because they want the worst to be true. Nothing better to do with their time, I guess.

      What I don’t understand is the full-out hate that some people have for “hobby projects.” If “you” don’t want to use such software, fine. Why do “you people” have to go into full-on spitting-bullets mode, hating the people who use such software and even the very concept of such software? “You” do your thing, we’ll do our thing, and nobody has to reach for the blood pressure medicine to stay calm. “I love you. You love me. We’re a happy family.”

      [As for the digital signature issue, I’m not a programmer and don’t know much about this kind of thing. My understanding is that that stopped a while back for some technical reason but was started up again recently. And again, if I’m willing to use something without this feature, nobody needs to worry about that but me.]

      “I’m OK. You’re OK.”

      1. scorpiogreen said on July 15, 2019 at 8:22 am
        Reply

        “He may be “random” and he may be a “dude”, but the “spare time” part is wrong.”

        That’s basically what it is, so…

        “It’s his full-time gig and has been for years. He and his helpers obviously know what they’re doing; they’re not 12-year-olds in their parents’ basement trying to figure things out.”

        They sure act like it based on the nonsense I see in their forums.

        I basically have the same issue with Waterfox as well. One guy who has a couple of part time helpers. I’m gonna rely on that?

        What happens if he dies or quits? What are you gonna do then?

        The big difference is Kontos isn’t an a-hole like Mooniechild and his cult. Call it a big personality difference.

        “What I don’t understand is the full-out hate that some people have for “hobby projects.” If “you” don’t want to use such software, fine. Why do “you people” have to go into full-on spitting-bullets mode, hating the people who use such software and even the very concept of such software?”

        Why do you come on here and bash Firefox all the time? Try not to be a consistent hypocrite, k?

        What comes around, goes around.

      2. Anonymous said on July 16, 2019 at 8:01 am
        Reply

        “That’s basically what it is, so…”

        Not sure what you mean by this.

        “They sure act like it based on the nonsense I see in their forums.”

        I agree. Still, they know a tad more than your average 12-year-old, in his parents’ basement, trying to figure things out.

        “One guy who has a couple of part time helpers. I’m gonna rely on that? ”

        Didn’t say you had to.

        “What happens if he dies or quits? What are you gonna do then?”

        I’m a big boy; I’ll deal with it. Nobody else has to.

        “Why do you come on here and bash Firefox all the time?”

        There’s more than one Anonymous here. That’s not me. I haven’t done that, other than whatever general remarks I may have made about big-name browsers/companies.

        “Try not to be a consistent hypocrite, k?”

        Ergo, does not apply.

        “What comes around, goes around.”

        You mean, like a cyrkle?

    2. ItsMe said on July 14, 2019 at 1:01 pm
      Reply

      The release versions pages do show SHA256’s. So either they have them for the archive exe’s too but never validated them or they only keep SHA’s for the latest version. Either way that’s not great.

      As they can’t say with 100% certainty that the production server wasn’t also attacked then I’m guessing even SHA’s they do know about are never checked.

    3. 99 said on July 14, 2019 at 10:19 am
      Reply

      >>>Or do people not bother to check the digital signatures (or even support them, like the Notepad++ dev […]
      The Notepad++ dev does, so please don’t mix him up with a bunch of pale moonies.

      Notepad++ 7.6.6 released with GPG signatures (04 Apr 2019)
      Since version 7.6.5 of Notepad++, the distributive packages are signed with digital signature by using GnuPG (GNU Privacy Guard). This allows users to reliably validate authenticity and integrity of Notepad++ packages.

      Notepad++ 7.7 released (19 May 2019)
      Thanks to DigiCert, Notepad++ is code signed again from the version 7.7.
      The GPG code signing will still be kept, so people can choose their preffered way to control Notepad++ binaries authenticity.

  5. Peterc said on July 14, 2019 at 1:49 am
    Reply

    DISCLAIMER: I am a fully costumed member of the League of Pale Moon Avengers, but I’d write the following comment exactly the same way even if I weren’t.

    Hmmm.

    The malware affected *archived* [Windows] *.exe files only, right? And wasn’t the malware in question detectable by all major anti-virus programs? And doesn’t pretty much *everyone* who uses Windows run a real-time anti-malware package? (Windows bugs you if you don’t.) So, if exposure was as pervasive as many commenters here seem to be claiming, why wasn’t there an uproar *long ago*? I mean, when you *download* the infected *.exe, you should get a malware warning, right? And when you *run* it, you should get *another* malware warning, right? And when the scheduled malware task runs, you might get *yet another* malware warning, right?

    Maybe most affected users just disinfected the file and didn’t bother to report back to Pale Moon, but if the breach actually *did* occur 18 months ago (which seems very unlikely), surely *someone* would have reported the infection before now. (I’ve personally reported mere file-hash failures to developers more than once. The problem was usually a hash that the developer had forgotten to update, but the point is, I *reported* it.)

    This is a pretty unfortunate hack, and it doesn’t reflect well on Pale Moon’s server-security nous. But the great majority of Pale Moon users almost certainly download the *current* version of the program, not an old archived version, and the current-version server *wasn’t hacked*. It’s not an excuse for inadequate security and file-integrity precautions, but I’m guessing that *very few* users were affected — maybe even fewer than were affected by the Linux Mint server hack, which lasted only one day. And how many of those were “computing naked,” with no anti-malware protection?

    I hope the Pale Moon team will beef up security and file-integrity control, but I’m not dumping Pale Moon because of this one incident. Getting hacked can happen to anyone, including to bigger, more “professional” outfits. And although I can’t bring any specific examples to mind, I doubt that everyone notices the hack and remedies it right away. The important thing is that Pale Moon’s developers respond appropriately and take measures to prevent it from ever happening again.

    In short, Pale Moon got pwned, but it could have been much worse. Don’t judge them on this first-time oversight; judge them on how they respond.

    1. Anonymous said on July 14, 2019 at 8:28 am
      Reply

      A reasonable-sounding try, but faulty premises and some problems, unfortunately:

      “wasn’t the malware in question detectable by all major anti-virus programs?”
      No, it was not. Two AVs were named in their forum as having detected it–Avast and Kaspersky–but almost 30 on VirusTotal missed it.

      “And doesn’t pretty much *everyone* who uses Windows run a real-time anti-malware package?”
      Definitely not, but this premise is mis-stated to begin with: the question here is not about everyone who uses Windows, but about every Windows user *who downloads Pale Moon.* Of Pale Moon users, we can most definitely NOT say that “pretty much” all of them run a real-time anti-malware package. One PM user on this page has already said they don’t, and numerous others over the years have said the same here and elsewhere.

      “So, if exposure was as pervasive as many commenters here seem to be claiming…”
      “Many commenters here” are NOT claiming that exposure was so “pervasive.” The truth is, the amount of exposure is unknowable, at this time at least, and we will very likely never know. This unknowable amount of exposure is not the most important thing, however.

      “why wasn’t there an uproar *long ago*?”
      Some users did report this to PM and were rebuffed, both in the forum and the FAQs. Most users, however–as you already surmised–don’t bother reporting things.

      “I mean, when you *download* the infected *.exe, you should get a malware warning, right?
      And when you *run* it, you should get *another* malware warning, right? And when the scheduled malware task runs, you might get *yet another* malware warning, right?”
      Uh, no, not necessarily–see above.

      “the great majority of Pale Moon users almost certainly download the *current* version of the program, not an old archived version, and the current-version server *wasn’t hacked*.”
      Really? Unfortunately we cannot definitively say this. The Pale Moon homepage admitted a “potential security issue” with the current release version installer in early May 2019. And even the Pale Moon developer himself says that users of the current version are “ALMOST certainly in the clear.” It’s the developer’s use of the word “almost” which should concern every Pale Moon user.

      “In short…it could have been much worse.”
      As Sam the Lion responds to Sonny in “The Last Picture Show” when told this: “You could say that about most everything, I guess.”

      “Don’t judge them on this… judge them on how they respond.”
      That’s a false dichotomy and they’re not mutually exclusive. You can do both. Anyone deciding on what software to use, especially such an important piece of software as a browser, should take all available information into account, not just give an automatic pass to an outfit on their worst fail ever.

      1. Cigologic said on July 18, 2019 at 10:29 pm
        Reply

        > Anonymous (14 July 2019, 8:28 am): “The Pale Moon homepage admitted a “potential security issue” with the current release version installer in early May 2019.”

        For clarity against fudging & conflation, the so-called installer that’s no longer offered pertains to the online installer stub (not the full offline installer). See below comments.

        https://forum.palemoon.org/viewtopic.php?p=170901#p170901
        >> catinahat: “I saw on your downloads page on palemoon that the web installer has been removed due to a security issue.””

        >> Moonchild: “Web installers/ stub installers are no longer used due to concerns about it insecurely loading dlls.”

        As comparison, the DLL side-loading security issue also affected PortableApps’ online & offline EXE installers:
        https://portableapps.com/news/2017-03-13–mitigating-dll-hijacks-with-the-portableapps-com-platform

        Even Mozilla’s Firefox & Thunderbird XE installers face the same DLL-hijacking security issue from time to time (even when supposedly fixed at an earlier date), such as outlined below (non-exhaustive list):

        • Firefox Installer DLL Hijacking (20 Nov 2012):
        https://www.mozilla.org/en-US/security/advisories/mfsa2012-98

        • Mozilla continues to ship Firefox & Thunderbird for Windows with a vulnerable executable installer (29 Apr 2016):
        https://packetstormsecurity.com/files/136848/Mozilla-Firefox-Thunderbird-DLL-Hijacking.html

        • Fix applied for CVE-2014-1520 does not fix a DLL hijacking issue with Mozilla Firefox’s executable installer (15 Jun 2016):
        https://packetstormsecurity.com/files/137482/Mozilla-Firefox-DLL-Hijacking.html

        • Mozilla’s executable installers are vulnerable to dll hijacking (20 Feb 2018):
        https://packetstormsecurity.com/files/146499/Mozilla-Executable-Installer-DLL-Hijacking.html
        → “2018-02-08: vulnerability report sent to Mozilla, no reaction”

        • DLL Hijacking Issue Plagues Products like Firefox, Chrome, iTunes, OpenOffice (08 Feb 2016):
        https://news.softpedia.com/news/dll-hijacking-issue-plagues-products-like-firefox-chrome-itunes-openoffice-500060.shtml

        • Proof-of-Concept on how to embed a meterpreter in Firefox via DLL hijacking (06 Jul 2017):
        https://github.com/fox-it/dll-hijacking-poc

      2. Peterc said on July 14, 2019 at 8:02 pm
        Reply

        @Anonymous:

        “Some users did report this to PM and were rebuffed, both in the forum and the FAQs.”

        If this is true, it’s UNFORGIVABLE. In fact, it would earn you the game point. Screwing up is one thing; refusing to listen when people point out that you screwed up is another.

        “[A]lmost 30 [AVs] on VirusTotal missed it.”

        If this is true, then it’s worse than I thought. (And I’m *glad* I use Kaspersky … although I’m not a CIA worker who takes Vault 7 hacking tools home from work and puts them on my personal computer to be flagged heuristically by Kaspersky and sent on to Mother Russia for analysis. Oops!) Your point.

        “The Pale Moon homepage admitted a ‘potential security issue’ with the current release version installer in early May 2019.”

        I didn’t spot this. I virtually always update Pale Moon from within the program and I virtually always do it as soon as a new version is released. Although I haven’t checked, I assume the “internal updating” is done by downloading the current-release installer to a temp folder. As I mentioned above, I run Kaspersky, and no malware was ever flagged when I updated. However, if a current-release installer was hacked and infected *after* I updated, I would *not* have noticed. Your point.

        “Of Pale Moon users, we can most definitely NOT say that ‘pretty much’ all of them run a real-time anti-malware package.”

        If this is actually true — that a higher percentage of Pale Moon users surf naked than users of other browsers — I begin to understand why so many people think Pale Moon users are *loons*. I simply don’t understand how people can rationalize using a non-air-gapped Windows computer without an up-to-date anti-malware package. A Linux or BSD computer, maybe. But going on the Net with an unprotected Windows computer is like walking down a dark alley in the worst part of town, drunk, loaded with expensive jewelry and with wads of cash sticking out of every pocket. I sympathize 100% with victims who happened to choose an AV that didn’t pick up this infection, but *not* with victims who were surfing naked. *My* point, or at least not *your* point. Sometimes the victim is blameworthy.

        “‘In short…it could have been much worse.’ As Sam the Lion responds to Sonny in ‘The Last Picture Show’ when told this: ‘You could say that about most everything, I guess.'”

        Oh, I don’t know. When I think of ransomware attacks, or Windows updates that bork your system or permanently delete some of your data files, it’s hard to imagine something a whole lot worse, especially if the victims don’t have backups. No point for substance, but *definitely* a point for the movie reference.

        This whole episode made me think of an old program from back in the days of Windows XP that automatically uploaded a fresh local copy of a website to the hosting site on a schedule, to ensure that any website hacks didn’t last for very long. (I thought it might have been one of Karen Kenworthy’s “Power Tools,” but I’m not finding it on the resurrected Power Tools site.) I don’t know whether attendant costs (e.g., possible data and bandwidth limits on either end) make this feasible for a small operation, and if *everyone* did it, it would add significantly to global Internet traffic, but it seems like a wise precaution when you’re dealing with a host whose security you don’t control.

        My new summary:

        * Blindly trusting your hosting site’s security and failing to routinely check the integrity of your hosted files: BAD.

        * Rebuffing reports that your hosted files are infected: UNFORGIVABLE.

        * Taking best-practices steps to ensure that it doesn’t happen again: COMMENDABLE (if it happens).

        Pale Moon is still my favorite browser. It continues the original spirit and mission of the *old* Firefox — customizability, extensibility, and user control. It doesn’t spy on me by design, unlike Google Chrome (and, sometimes, modern Firefox). It still allows me to run some really useful extensions, unlike modern Firefox (and soon, Waterfox). It allows me to block Facebook scripting (which is *unbelievably* pervasive, even if you *never visit* Facebook), unlike Brave. It’s been *remarkably* stable and well-functioning, over *many* years. It has officially endorsed Ubuntu PPAs that are stable, reliable, and up to date, unlike Waterfox. (Pale Moon has officially endorsed Debian PPAs as well, although I haven’t personally used them.) I *can’t* use it to watch Netflix or other DRM-protected videos, and a small number of other sites don’t work on it, but that’s why I also have Chrome and Firefox installed.

        So long as Pale Moon’s developers take appropriate steps to ensure that they don’t serve infected installers again, and so long as they stop rebuffing reports of serious problems out of hand, this incident is not going to make me dump it. If they *don’t* … then I guess it’s back to Firefox (with a *massive* amount of regret), since I’ll soon be migrating to Linux full-time, and in the distros I’ve tried, Waterfox is just too big of a PITA to install and keep up to date.

        Finally, different people have different priorities and different browsing needs. If other people prefer Chrome, Firefox, Waterfox, Brave, Vivaldi, or something else and don’t see any value in Pale Moon, that’s fine with me. I will note that a lot of the animus toward Pale Moon is based on the developers’ “poor social skills.” The best response I have to that is that, given a choice between a poorly coded or privacy-violating program developed by “nice” people and a well-coded, privacy-conscious program developed by “difficult” people, I’ll take the latter. With regret, but I’ll take it. (Did you use a Mac when Steve Jobs was at Apple’s helm? Did you use Linux before Linus Torvalds went into “social-skills rehab”? If so, then you’ve “taken it,” too!)

      3. Anonymous said on July 15, 2019 at 7:28 am
        Reply

        Peterc, thanks for your reply. You’re one of the more reasonable, mature, likeable PM users I’ve come across. You’re probably quite right about a lot of the animus toward PM being caused by the awful way of the developer and his right-hand lackey, and many of their users, I would add.

        Two things: how does Firefox “spy on you by design…sometimes?” All of us who use Firefox have a lot riding on this, obviously, so we’d be grateful if you would laid this out clearly.

        Finally, I’m running Brave and blocking Facebook scripting (and any other scripts I want) by using NoScript. Why do you say you can’t block Facebook scripts in Brave? And I heard Pale Moon can’t run NoScript–how do you block scripts in Pale Moon? Thanks.

      4. Peterc said on July 15, 2019 at 8:25 pm
        Reply

        @Anonymous:

        Thanks for the kind words! If by “mature” you mean “old,” you’re on the money!

        My comment about Firefox sometimes violating your privacy was based on Pocket, the Cliqz experiment (did I spell that right?), and other holes plugged by the really extensive gHacks Firefox user.js script maintained (at least primarily, I think) by a commenter here named “Pants.” After all, one of Waterfox’s selling points is that it doesn’t just *say* it respects your privacy, it actually *tries* to by changing some of Firefox’s more problematic defaults. In hindsight, Google’s old mantra “Don’t be evil” was actually shorthand for “Don’t be *blatantly* evil; be *latently* evil.” ;-) Mozilla hasn’t reached that point, but it’s now a half-billion-dollar-a-year enterprise with highly paid executives, and big money has a way of corrupting founding principles. (REI started out as a bona fide co-op that sold only a carefully curated selection of decent-quality, fairly priced outdoor gear, and look at it now!)

        When I began hearing people rave about Brave, I was ready to jump on it until I started coming across articles like this one:

        Brave Browser Sacrifices Security | Netsparker
        https://www.netsparker.com/blog/web-security/brave-browser-sacrifices-security/
        [Scroll down to “Brave Browser’s ‘Hidden’ Whitelist of Tracking URLs”]

        Just to be clear, I consider Facebook to be one of the most *malign* actors on the Net, and I’ve moved every Facebook-related domain I can identify to my NoScript blacklist of “Untrusted” sites in every browser I have that *supports* NoScript. If my understanding of those articles — namely, that the whitelisting of Facebook-scripting is hard-coded into Brave and can’t be completely, durably, and reliably defeated — is *wrong*, then I withdraw my reservations about it.

        So far as I can make out, NoScript got deprecated and disavowed in Pale Moon because the developers got fed up with a high volume of posts from users who complained that certain sites didn’t work when the problem was in fact caused by NoScript. I don’t know how many of these problems were because of something inherently problematic and “unfixable” in NoScript and how many were because users simply weren’t configuring it properly for the sites in question, but the developers got tired of having to deal with them regardless. (And in fairness, it’s not their job to teach people how to use NoScript.)

        Personally, I’ve used NoScript in Pale Moon for many, many years and continue to do so (at least for now) *despite* the deprecation. The *vast majority* of sites I visit continue to work just fine, and I’m willing to accept that with some of the sites that don’t, the problem *might* be because of NoScript and not because Pale Moon itself doesn’t support some protocol or standard they require.

        Why do I continue to use NoScript? Time, inertia, and laziness. (See “mature,” supra. ;-) I’m familiar with NoScript’s interface and settings and I’m not enthusiastic about having to learn the ins and outs of a new scriptblocker. Even more importantly, I have put in a LOT of time vetting domains and adding them to my whitelists and blacklists and I don’t want to have to redo that work from scratch. When you consider that a new “untrained” whitelist-based scriptblocker will break most sites you visit until you substantially finish training it, that’s kind of a big deal.

        That said, I know I should really switch to ηMatrix (eMatrix), which is a Pale-Moon-specific fork of Raymond Hill’s reportedly *excellent* μMatrix (uMatrix) extension. (I’ve used his uBlock Origin extension for some time now, and *it’s* pretty damn excellent, so I believe the reports.) μMatrix is more sophisticated and granular than NoScript and (unfortunately) more complex and harder to learn — I gave it a half-hearted try, once! — but it’s “officially approved” and *maybe* more likely to be supported for longer than the legacy version of NoScript. NoScript’s developer says, “You can still download NoScript ‘Classic’ (5.1.9) for Palemoon, Seamonkey, Waterfox and possibly other ‘vintage’ (pre-Gecko 57) Firefox forks here: [link]. We’ll do our best to provide security fixes as long as supporting browser[s] still guarantee their own security updates.” This is *really* generous on his part — most legacy-extension developers threw in the towel when Firefox announced it was going to dump legacy-extension support — but when Waterfox drops support for legacy extensions in the near future, and SeaMonkey either drops support or dies, Pale Moon is a *pretty small user base* to continue to develop for, and I’m not necessarily willing to bet that he will be *that* generous! *Especially* since Pale Moon has officially deprecated his extension!

        Anyway, that’s about all I’ve got. Maybe I’m casting too jaundiced an eye on Firefox’s privacy lapses, and maybe I’m being too skeptical of Brave’s assertion that non-Facebook-users can’t be fingerprinted and tracked without cookies, and maybe I’m just plain wrong that scriptblockers can’t *actually* block Facebook scripting in Brave. If so, I’m happy to be corrected — especially where Brave is concerned. Brave sounds like it might be okay — so long as it *genuinely, effectively* permits users to avoid being tracked by Facebook.

      5. Heljka said on July 15, 2019 at 4:54 pm
        Reply

        >And I heard Pale Moon can’t run NoScript–how do you block scripts in Pale Moon?

        You heard wrong
        NoScript Classic works fine in Pale moon
        https://noscript.net/getit

        alternatively you can use the latest Legacy uMatrix
        https://github.com/gorhill/uMatrix/releases/tag/1.1.4

        Or the newer fork eMatrix
        http://addons.palemoon.org/addon/ematrix/

  6. RespectfulRemain said on July 13, 2019 at 6:33 pm
    Reply

    Damn, Martin had some work with these comments, haha.

  7. ItsMe said on July 13, 2019 at 11:56 am
    Reply

    They can’t now say that the breach was later with any certainty. All they’re going on is a few people who downloaded clean exe’s and kept them. They didn’t do av scans and they didn’t keep any logs so all you can say is that on those days and at those times the particular exe’s were clean and that’s it. You’ve no proof that all exe’s were clean and you don’t even have proof that those exe’s were clean the next day.

    That’s the trouble with a post mortem when you’ve no real data to work with as you didn’t backup logs. It’s not a post mortem it’s a guess/wishful thinking.

  8. Ascrod said on July 12, 2019 at 2:41 pm
    Reply

    Martin: several community members did some investigating and found that several executables they had downloaded from the archive earlier in April were unaffected. It looks like the attackers tampered with the datestamps on the infected files, making the breach look worse (longer) than it reall was.

    Update here:

    https://forum.palemoon.org/viewtopic.php?f=1&t=22553

    1. crambie said on July 12, 2019 at 7:19 pm
      Reply

      That post is rather vague. Checking several and not all exe’s doesn’t really mean anything unless you know that all were infected and from that post they don’t know that. If they’d bothered to back up their logs they might have known for sure.

  9. Kubrick said on July 12, 2019 at 2:33 pm
    Reply

    Has anybody here actually been to the palemoon forum to read moonchilds explanation at all or are we all going to sit here like a pack of wolves howling at the moon because of this.?

    If we care to do so then it was the VM provider which was apparently breached by supposed local access..Does anyone care to digest this info or shall we just go on a witch hunt against the palemoon team.?

    1. crambie said on July 12, 2019 at 7:15 pm
      Reply

      It has less to do with the breach itself as much as their total incompetence in never detecting it, they were informed about it, and where they told anyone with any av alert that they were false positives without checking if that was true. Even worse they didn’t back up access logs so couldn’t even check who did what, but as they never virus scanned anything it’s not really likely that they would have bothered looking at them anyway.

      That together with production exe’s only “almost certainly in the clear” (almost means they don’t know) should be enough for any user to drop it like a hot stone. Why would you possibly trust someone with something as complex as internet security when they can’t even secure their executables? I don’t understand why anyone would continue to use it after this and understand even less people like you making excuses for them yet again.

    2. Clairvaux said on July 12, 2019 at 2:39 pm
      Reply

      There’s no “witch hunt”. There’s a nasty piece of malware that was spread by Palemoon for one blasted year and a half.

      Blaming it on the dog who ate their homework won’t cut any mustard.

      And yes, of course I followed the links and read the Palemoon forum. As many other readers have done, obviously.

  10. Bill said on July 12, 2019 at 1:49 pm
    Reply
    1. ItsMe said on July 13, 2019 at 12:02 pm
      Reply

      It’s simply a guess that it’s not so bad. All they know is that those particular exe’s were ok on those particular days. They simply can’t know about other exe’s neither can they know about even the next day.

      Even if you believe it’s not so bad then despite no proof then it’s doesn’t really change anything, it was still a month+, they still didn’t backup logs, they still didn’t check their files so still didn’t spot it themselves. So they’re still incompetent.

  11. Disgruntled said on July 12, 2019 at 12:39 pm
    Reply

    Boy, am I glad I’ve jumped off the Pale Moon boat about a month before that malware infected the archive server.

    Sucks that there isn’t any good Firefox-based browser other than a heavily configured Firefox right now, and everyone knows how tedious it is. LibreWolf seems promising enough, but for now, I’ll stick with Iridium until then.

  12. ilev said on July 12, 2019 at 12:32 pm
    Reply

    It just shows that Pale Moon doesn’t give a S*** about security, privacy… as they didn’t run any monthly penetration tests, daily A/V tests….. in 2 years!!

  13. rickmv said on July 12, 2019 at 2:24 am
    Reply

    LOL for the LameMoon!!! You know when a project is on a haywire when their code developing mantra is “we are the best because we keep deleting Mozilla code”.

    Instead of keep changing cartoon wolf avatars, bragging about IQ level of an 1% of the humans but all that lurking in a paradigm head, and spending all days hammering on their only couple tens of old users doing their retirement daily routine on their forum, they should move on some real code writing, check and secure their turf, and let the old, obsolete Mozilla code that they keep on beating behind. Take some hints from the Waterfox dev. who only by himself put out an unique excellent browser which can use both legacy XUL and Web extensions.

    Don’t break a sweat on this lame project. Waterfox work miracles. Or take Firefox 60 ESR as the best option outside the data mining agent Gchrome. Or if you really need to go on the dark side, Vivaldi, from the creator of original Opera, is the most honest in their intentions of how using the chromium code behind their browser.

    1. Cigologic said on July 13, 2019 at 2:38 am
      Reply

      > rickmv: “Take some hints from the Waterfox dev. who only by himself put out an unique excellent browser which can use both legacy XUL and Web extensions.”

      How much longer would the hybrid Waterfox be available though ? As it is, Waterfox v56.x (Legacy/ESR) is the last version to support XUL addons. XUL compatibility is already removed from Waterfox “Quantum” v68.x onwards (forked from Firefox Quantum v68 code-base), which supports only WebExtensions.

      Although there are still concurrent releases for the Waterfox Legacy/ESR v56.x (receiving security & bug fixes only) branch vs. the Waterfox “Quantum/ Next Generation” v68.x branch, I understand that the plan is to eventually kill off the Legacy/ESR v56.x branch. This is despite several Waterfox users (primarily Firefox migrants) begging (& still unsuccessfully begging) Alex not to drop XUL support.

      > “Waterfox work miracles. Or take Firefox 60 ESR as the best option outside the data mining agent Gchrome. Or if you really need to go on the dark side, Vivaldi”

      Incidentally, there are folks (eg. below) who literally place Waterfox in the same “outlier obscure” pond as as Pale Moon. Based on the sequence, it seems that Waterfox is thought of as even more obscure than Pale Moon.

      https://old.reddit.com/r/privacy/comments/cc5p2j/pale_moons_archive_server_hacked_and_spread/etl7dk0
      > privacyfreak555: “Computer security is like a bell curve, you got in the middle the popular ones Chrome, Firefox, and on the outliers obscure ones like Pale Moon, Waterfox, etc.”

      To each his/her own, I suppose … I’ve never tried Waterfox, Pale Moon or Vivaldi. But I had tried Cyberfox, & rather liked it. It was a truly 1-man project — unlike the falsely-rumoured “1-man team” of Pale Moon. In fact, Cyberfox was so 1-man in reality that when that one man said “No more”, the project literally is no more.

      1. Cigologic said on July 18, 2019 at 10:47 pm
        Reply

        An addendum to the aforemenioned Redditor privacyfreak555’s comment: “outliers obscure ones like Pale Moon, Waterfox, etc.” …

        Apparently Cốc Cốc (a Vietnamese-focussed browser) is even more widely used than Waterfox — or at least amongst CCleaner users, & CCleaner is very commonly used throughout the world.

        https://forum.piriform.com/topic/49017-cleaning-waterfox-profile-historycache-with-ccleaner-win-7/?do=findComment&comment=307005
        CCleaner’s developer (12 Jun 2019):
        “Although we have added some niche browsers in the past and doing more is on the backlog list, they’ll be handled in order of popularity with our user base – which probably means we’ll see Cốc Cốc added before Waterfox.”

        Hmmm … that implies that Waterfox is seriously obscure.

        Incidentally, I was just thinking the other day that I’ve seen Pale Moon being regularly mentioned as a favoured/ recommended browser at AskWoody. Yet I’m hard-pressed to recall anyone there talk about Waterfox.

  14. Vítor I said on July 12, 2019 at 12:26 am
    Reply

    The problem wasn’t detected by PM “team”, it was a user that stumbled in an infected exe, wtf!

    https://forum.palemoon.org/viewtopic.php?f=17&t=22520

    1. Anonymous said on July 12, 2019 at 10:30 am
      Reply

      Vitor said: “The problem wasn’t detected by the PM “team” , it was a user that stumbled in an infected exe…!”

      Vitor is absolutely right, and this is an important point. The Pale Moon malware most certainly wasn’t “detected” by the Pale Moon team–it was brought to their attention by a user who had detected it.

      Note to Martin: perhaps the article’s wording should be changed to reflect the reality of how this was discovered? Something like “a user discovered the infection and posted about it on the Pale Moon forum on July 9, 2019” ?

      Vitor’s post also has the original link which shows this, and contains additional information. This link is also not in the article above, but I think a strong case could be made for putting it in the article. Plenty of people never make it this far down in the comments.

      Everyone needs to be grateful to that user for discovering the Pale Moon malware and bringing it to the Pale Moon creator’s attention. Otherwise the malware would still be spreading!

  15. Vítor I said on July 11, 2019 at 9:59 pm
    Reply

    Vivaldi, here I go!

  16. Clairvaux said on July 11, 2019 at 8:31 pm
    Reply

    That’s exactly why you can’t trust a browser made by such a small team (if there is, indeed, a team at all). The infection occurred in 2017, for God’s sake !

    I did not even find any layman’s explanation of what the virus does, in the official announcement.

  17. stefann said on July 11, 2019 at 8:01 pm
    Reply

    Maybe the guys should stop treat people like BS in their forum…. Mad “customers” can be dangerous !

    1. Iron Heart said on July 11, 2019 at 9:26 pm
      Reply

      They won‘t, the purpose of this forum is their own amusement. It‘s obvious. Plus, they have already stated that they don‘t care about how many people use Pale Moon.

  18. steve said on July 11, 2019 at 5:34 pm
    Reply

    This really rocks my confidence in Pale Moon. It may be more privacy focused than Firefox, but if it’s not secure there is no point.

  19. Jody Thornton said on July 11, 2019 at 1:40 pm
    Reply

    I wonder how long ago I installed Pale Moon v27.9.9 on my Puppy Linux box …..hmmmm. That does concern me a tad.

    Malware Moon ….lol – I love it.

    1. Cassette said on July 12, 2019 at 1:11 am
      Reply

      Considering the executables were infected, you probably don’t have anything to worry about. Are you running any executables in Linux?

      1. Jody Thornton said on July 14, 2019 at 3:34 pm
        Reply

        I don’t think so. I don’t use that Puppy notebook much anyways.

  20. Apparition said on July 11, 2019 at 1:30 pm
    Reply

    Hilarious. And for eighteen months even.

    This is why you don’t use hobby web browsers. Stick with Mozilla Firefox, Google Chrome, Brave Browser, Microsoft Edge, Vivaldi Browser, and/or Apple Safari.

    1. 01101001b said on July 12, 2019 at 9:58 pm
      Reply

      “And for eighteen months even”
      Oh, yes. Because timestamps can’t be forged, right? Oh wait, they can.

      “Stick with Mozilla Firefox”.
      Sure, sure. Because FF never got its addons infected with malware, right? But, by all means, keep babbling nonsense.

      1. scorpiogreen said on July 13, 2019 at 6:13 am
        Reply

        “Oh, yes. Because timestamps can’t be forged, right? Oh wait, they can.”

        Well that’s your moonie problem, not anybody else’s A hobby browser run by a luddite doesn’t inspire confidence.

        “Sure, sure. Because FF never got its addons infected with malware, right? But, by all means, keep babbling nonsense.”

        lol, yes it all Mozilla’s fault this two year PM fiasco happened.

        Grow up, son. You sound utterly ridiculous.

      2. Anonymous said on July 13, 2019 at 5:14 am
        Reply

        Thanks for pointing that out, 011, that neither Firefox nor any of the above-mentioned browsers were EVER infested with a trojan infection and infecting their users with it for months on end.

  21. Anonymous said on July 11, 2019 at 1:21 pm
    Reply

    As far as malware infestations go, the choice of using Pale Moon to propagate it was rather brilliant: choose a tiny one- or two-man operation, whose users stubbornly cling to using older things to begin with, infect the archive, and on top of that, many of those users probably don’t even use or think they need AVs anyway. If any do and it gets flagged (which happened), tell them that the problem is with their AV, not Pale Moon! (That’s their MO anyway–remember their dustup with AdBlock Plus?)

    Looking at this now and how it’s been going on from late 2017 until mid 2019, it’s been wildly successful in that regard. I’ve never heard of a malware distribution infection which lasted for one and a half years!

    1. 01101001b said on July 12, 2019 at 10:14 pm
      Reply

      “it was rather brilliant”
      To infect old versions (that virtually nobody uses anymore) with a trojan it’s something you call “brilliant”? Read a book, people.

      Real problem here? Using a server running a crappy OS (Wind*ws, f*** off. CentOS, welcome). Problem solved.

      1. Anonymous said on July 13, 2019 at 5:03 am
        Reply

        Yep, rather brilliant. [Editor: please remain respectful] [They] LOVE old versions–that’s why they use it to begin with! A tiny one man shop, obviously lax on security, and users who cling fiercely to old outdated software and who are more likely than most to revert to older versions, and many of whom probably don’t use or don’t think they need an AV (they aren’t shy about making this known on here and elsewhere)…start in the archive, less likely to be detected there, and if a user does have an AV and it detects something, tell them the problem is with their AV and to report it! And given the reflexive cult-like obedience of many moon followers, they’re likely to do just that. And whether it was four months or 18 months, it was highly successful in that regard. Yep, rather brilliant all-around. You’d be hard-pressed to find a better target that had all these ingredients.

    2. Apparition said on July 11, 2019 at 1:31 pm
      Reply

      Nailed it in one.

  22. ItsMe said on July 11, 2019 at 11:41 am
    Reply

    It’s not great to put it mildly when it takes over 6 months to find that your exe’s had been tampered with and it’s a commonly known infection. So they didn’t bother virus scanning anything and didn’t even check sum/validate regularly. It should have been caught in less than a day. That’s really amateur and does make we wonder about the security of their browser if they are so lax.

    Also on one hand it says it only effected the archives then on the other that if you used the production channels you’re “almost certainly in the clear”, not that you definitely are. So it sounds as though they don’t really know and at some point it’s possible that has been breached too.

    1. Cassette said on July 12, 2019 at 1:07 am
      Reply

      I think it’s possible in the same way it’s possible with any software. Can you say with absolute certainty that you would bet your life on that the current version of Firefox isn’t somehow compromised by malware? I use an anti-virus and not once has it ever flagged Pale Moon or Firefox. To the best of my knowledge neither has had an issue on my system with malware. Healthy skepticism is one thing. Tin foil hat conspiracy theory is something else entirely.

      1. Anonymous said on July 12, 2019 at 6:25 am
        Reply

        “I think it’s possible in the same way it’s possible with any software.”

        Uh, no, it’s definitely NOT “possible in the same way it’s possible with any software.” That’s false. A tiny one- or two-person operation like Pale Moon obviously has only one or two or so pairs of eyes looking at it, compared to the hundreds/thousands working on browsers from Mozilla, Google, Microsoft, Apple, etc.. It’s not “possible in the same way” at all. That’s why you’ve never heard of Firefox, Chrome, IE/Edge, or Safari having an active trojan infection being distributed to their users for a one and a half year period. The Pale Moon malware infestation of 2017-2019 is not just the longest in browser history but likely one of the longest in software history as well.

      2. Cassette said on July 12, 2019 at 9:06 pm
        Reply

        @Anonymous Actually the infection happened between April and June of this year. The dates were forged. Not that that would make any difference to you. You already hate Pale Moon and even without this security breach you have old forum posts to fall back on. The fact that CCleaner was infected and released to the public is proof of what I said. Unlike in Pale Moon’s case, it wasn’t some old version sitting on an archive service. It was a release version.

      3. Anonymous said on July 13, 2019 at 4:42 am
        Reply

        You don’t know exactly when the infection took place–you’re just parroting what the creator said, who’s only the most biased person on earth about this. We’ll likely never know what happened for sure, and when. And they’re still not saying anything more over there about the suspected breach of current release version installers in early May 2019, which falls squarely in the middle of the latest time frame they’re promoting now. And they didn’t even catch this archive infestation to begin with–a user had to bring it to their attention, and they finally listened to someone, after waving off everyone before, telling them their AVs were wrong!

        So funny the [Editor: please remain respectful] response on here is “It’s happened before to other software!” and “It could happen to anyone!” Could, but hasn’t. Please, refresh our memories: when was the last case of multi-month browser trojan infestation? Must’ve missed that here on ghacks…

      4. ItsMe said on July 12, 2019 at 12:26 pm
        Reply

        @Cassette I’m 100% certain that if it happened with FF it would spotted in next to no time.The big problem I now have with PM is that if they’re so incompetent with release security (they didn’t even find it apparently, they had to be told about it) which is pretty simple then why would I possibly trust them with browser security that’s anything but simple.

        @Anon, It doesn’t even matter that they’ve only a few people. For example how many people do you have to run an AV on your PC, just you. It could have easily been automated, not just AV scanning but something like SHA256 checks. It’s not like there are millions of exe’s on their server.

    2. Anonymous said on July 11, 2019 at 1:44 pm
      Reply

      ItsMe: “if you used the production channels you’re “almost certainly in the clear”, not that you definitely are. So it sounds as though they don’t really know and at some point it’s possible that has been breached too.”

      I was thinking the same thing. I recall from a discussion on ghacks in early May (comment date May 6) that at that time the Pale Moon front page displayed the following message: “Due to a potential security issue with the web installer, it is currently unavailable.” I went to their homepage and indeed that is exactly what it said. And that was not for the archive, but for the current version…

      1. ItsMe said on July 11, 2019 at 6:37 pm
        Reply

        I obviously had a brain fart with dates, 18 months not 6, so even worse. Really inexcusable. Even worse they were telling people who asked about AV alerts that they were just false positives seemingly without checking.

      2. Testerhood said on July 11, 2019 at 8:48 pm
        Reply

        The kind of mindset that community members encounter in their forums is worrying, yeah. And honestly one of the reasons why I eventually gave up Pale Moon again.

  23. user17843 said on July 11, 2019 at 11:25 am
    Reply

    Read this if you want to gauge the character of the people behind Pale Moon https://github.com/jasperla/openbsd-wip/issues/86

    1. Cassette said on July 12, 2019 at 1:12 am
      Reply

      No one’s ever made that point over and over again. Thanks for bringing something new to the discussion.

      1. Anonymous said on July 12, 2019 at 6:26 am
        Reply

        @Cassette: No one’s ever been sarcastic on here before. Thanks for bringing something new to the discussion.

    2. Testerhood said on July 11, 2019 at 8:59 pm
      Reply

      Thanks for linking this.

  24. Kubrick said on July 11, 2019 at 10:11 am
    Reply

    Full explanation here if anyone is interested.
    https://forum.palemoon.org/viewtopic.php?f=17&t=22526

    Just in case anyone wishes to see a full explanation instead of just typing the usual garbage.

    1. Shinichiro said on July 11, 2019 at 10:50 am
      Reply
      1. Jody Thornton said on July 14, 2019 at 4:29 pm
        Reply

        @Shinichiro

        Thanks for showing CLEARLY what the Moon-Matt team and its minions are like. Everyone needs to see that. Are you reading this [Editor: no personal attacks please]? How dare you criticize me for harping on this. [Editor: no personal attacks please] are shown for what they are by their very own behaviour. So buzz off. If I feel like bringing this up again and again, I’ll do so WHENEVER I feel like.

        Thank Gawd Firefox 68 ESR is working out to my liking, I need not associate myself any more with the Moon-Matt team, by using their product.

      2. Jody Thornton said on July 14, 2019 at 7:00 pm
        Reply

        @Martin: if you removed the references to whom I was addressing – the post makes no sense.

        You’re starting to censor too much. If that’s the case, then please start censoring all of the extreme right-wing posts as well. The way I see it – we’re all big people here.

      3. Martin Brinkmann said on July 14, 2019 at 7:10 pm
        Reply

        I understand where you are coming from but please understand my situation as well:This is not censorship, just stay polite, use the real names of people and there is no need for any editing on my site. I’m not doing this for my own pleasure.

      4. Anonymous said on July 11, 2019 at 4:02 pm
        Reply

        Moonchild just blamed their hoster:
        https://forum.palemoon.org/viewtopic.php?f=17&t=22520
        Since Tobin calls linux users ‘braindead’ or ‘communists’, seems like they are both too smart for securing their own data.

        https://freenode.logbot.info/palemoon/20180907/raw
        01:25:49 i don’t use linux.. I use Windows 7 like a normal person who isn’t brain dead or a communist

      5. Apparition said on July 11, 2019 at 5:51 pm
        Reply

        This just becomes more and more amusing.

  25. Anonymous said on July 11, 2019 at 9:53 am
    Reply

    At least the Pale Moon dev is not intentionally spreading his own malware, unlike Mozilla.

    1. scorpiogreen said on July 14, 2019 at 1:39 am
      Reply

      “At least the Pale Moon dev is not intentionally spreading his own malware, unlike Mozilla”

      No, he’s just living in his own fantasyland sending his trolls here to deflect on what a pile of junkware he maintains.

      The lame excuses here are getting hilarious

    2. ULBoom said on July 13, 2019 at 11:08 pm
      Reply

      So many anonymi here! Who is whom?

      Read your sentence again, it clears Mozilla. “Nots” and “un’s” matter.

      1. Hy said on July 18, 2019 at 8:29 am
        Reply

        ULBoom said: “Read your sentence again, it clears Mozilla. “Nots” and “un’s” matter.”

        You’re right–I missed that. Good eye!

    3. Anonymous said on July 11, 2019 at 12:44 pm
      Reply

      Anonymous said At least the Pale Moon dev is not intentionally spreading his own malware, unlike Mozilla.

      Actually, funny you should mention it but of course it could have been the devs themselves who planted this (real malware, a trojan dropper, as opposed to your ridiculous false Firefox hyperbole), as already pointed out over at reddit:

      “It could just as well be the devs themselves who did this. Fork Firefox, inject malware into the exe, tell people their AV is reporting a false positive and then blame ‘hackers’. Afterall this only came to light because a user bothered to send the exe they dl’ed to Avast themselves. The devs never even checked the PGP signatures. I might be wrong, but who really would ever find out?

      That’s the problem with forks. You have to place all your browsing trust in the hands of some guy somewhere who answers to no one.”

      https://www.reddit.com/r/firefox/comments/cbm2c9/hackers_infect_pale_moon_archive_server_with_a/

      The devs certainly had the access, and this would explain why it went on for a year and a half. I see on their forum that in their “full transparency” “data breach post mortem” they don’t answer or even ask the question, “How and why in the hell was this trojan infection allowed to go on for so long?”

      Oh and by the way why does malwarechild call this a “data breach”? Whose personal data was stolen? This was a malware infection that his software was spreading. Doesn’t a software developer know what a data breach is and what a malware infection is and the difference between the two? Very strange (and wrong) word choice on his part, unless he’s deliberately trying to mislead/confuse/downplay the situation.

      1. nobodyspecial said on August 19, 2019 at 5:17 am
        Reply

        >Oh and by the way why does malwarechild call this a “data breach”?

        Yeah, seeing “Data Breach” in the title of moonchild’s post made me kinda mad. That’s not what it was, and people need to be alerted in clear terms about this serious INFECTION. Failing to label the issue correctly was highly irresponsible. It also seems a bit… idk, somewhat dishonest(?)

        Anyway, if it were me, I’d have a big ol’ unavoidable alert on the palemoon home page and every download page even now, and it would stay there for quite some time. Not everybody who uses PM goes to the forum. Those who do won’t even see a title reflecting the severity of what happened.

        Btw, I’ve been using both PM and FF for years, so this isn’t coming from somebody with bad motives against one for the other. I’m just not happy with how the situation was handled.

    4. Tom said on July 11, 2019 at 11:29 am
      Reply

      No article on ghacks without bashing against Mozilla, even if the article has nothing to do with Mozilla at all. That’s so poor. But you should really stop spreading nonsense. If Mozilla would spread “malware” we would read about this on every IT website on this planet. But there is nothing. But more important: What has Mozilla to do with the hobby project Pale Moon?

  26. John C. said on July 11, 2019 at 9:33 am
    Reply

    Great googly-goo! I wonder who’s responsible for that…

    1. Bob said on July 11, 2019 at 2:30 pm
      Reply

      Negligent and irresponsible developers of Pale Moon who didn’t take necessary precautions to prevent this. In their FAQ they explicitly stated that any antivirus alerts in relation to Pale Moon are false positives that should be ignored. A completely irresponsible attitude to security that made this breach unavoidable.

      1. ilev said on July 12, 2019 at 12:41 pm
        Reply

        And they hosted the Files on a Windows server.

        “A malicious party gained access to the at the time Windows-based archive server (archive.palemoon.org) ..”

        They didn’t have enough money to setup a free Linux server.

  27. Doug said on July 11, 2019 at 8:40 am
    Reply

    It lay undetected since December 2017? That’s embarrassing.

    1. Lysanderoth said on July 13, 2019 at 6:23 pm
      Reply

      Yes, it was I, my machinations lay undetected for years, for I am a master of deception!

    2. Cigologic said on July 13, 2019 at 1:28 am
      Reply

      > Doug: “It lay undetected since December 2017?”

      It appears that Pale Moon’s archive server breach occurred NOT on 27 Dec 2017 (as initially suspected), but sometime between Apr & Jun 2019.

      This is based on 2 users who reported that they downloaded clean old versions of the EXE files from the archive server — in 2018, as well as at end Mar 2019. In other words, the Dec 2017 timestamps of the infected files were forged.

      I wonder if the archive server breach is in some way related to the episodes of attempted password-breaking on Pale Moon servers that Moonchild tweeted about in early May 2019. Also, it’s such a coincidence (or not ?) that the same archive server was discovered to have become totally & fatally corrupted since at least 26 May 2019.

      • 06 May 2019: https://twitter.com/palemoonbrowser/status/1125559607802441732
      “A note to folks trying desperately to guess SSH passwords on our servers using distributed attacks ever since we got some attention due to the Mozilla add-on debacle: don’t you have anything better/more constructive to do? What are you hoping to achieve, anyway?”

      • 28 May 2019: https://twitter.com/palemoonbrowser/status/1133347512109142016
      https://forum.palemoon.org/viewtopic.php?t=22181
      “Looks like our archive server got hosed because of file system corruption on the host node of the VPS. It won’t be available until a new server can be provisioned that is more reliable.”

      • 10 Jul 2019: https://twitter.com/palemoonbrowser/status/1148966266377506816
      “There has been a data breach on the archive server where an attempt was made to sabotage our project by infecting all archived Pale Moon executables on the server with malware.”

      • 12 Jul 2019: https://twitter.com/palemoonbrowser/status/1149633389076500485
      “Update after getting more user feedback who have used the archive server: The breach seems to have been much more recent. Looks like it occurred between April and June 2019. Makes more sense, too. It’s odd that such a thing would go unnoticed for so long.”

      Below are the reports by the 2 users who downloaded clean EXEs from the archive server in 2018 & end Mar 2019:
      https://forum.palemoon.org/viewtopic.php?p=170889#p170889
      https://forum.palemoon.org/viewtopic.php?p=170896#p170896

  28. Yuliya said on July 11, 2019 at 8:36 am
    Reply

    Is there a way to check manually whether that task has been created? I assume it should be in Task Scheduler, but where exactly, under which name? I really don’t want to install an antivirus on any of my PCs.
    That being said, I only keep the portable x64 PM, and always downloaded from the EU mirror on the maiin page, which is “http://www.palemoon.org/download.php?mirror=eu&bits=64&type=portable”. I have now “Palemoon-Portable-28.6.0.win64.exe”, which according to virustotal, is not infected. Still, I’d like to make sure.

    1. Cigologic said on July 12, 2019 at 2:58 am
      Reply

      > Yuliya: “downloaded from the EU mirror on the maiin page […] I have now “Palemoon-Portable-28.6.0.win64.exe”

      Your copy of Pale Moon v28.6.0 x64 portable EXE should be clean, as based on the release date, compromised server type & affected versions as specified by Moonchild.

      If you have older versions as well, Moonchild has on 10 Jul 2019 supplied the file hashes & file sizes for clean Pale Moon installers & portable EXE from v3.x to v27.9.4. The list appears to be incomplete, as some builds/ versions are not listed: https://pastebin.com/Lp27meQe

      > “Is there a way to check manually whether that task has been created? I assume it should be in Task Scheduler, but where exactly, under which name?”

      You can try searching your PC (files, tasks, registry) using the below-mentioned variables — with & without appended EXE extension.

      It is not clear if the malware dropped different randomly-named files &/or created different randomly-named task names on different PCs, because from what I can see, BleepingComputer’s test showed different variables from those observed by a Pale Moon user whose old mouse accidentally executed one of the infected files.

      1. BleepingComputer

      • Files Dropped by Malware: 6evfg.exe, ibvo.exe
      https://www.bleepstatic.com/images/news/u/1109292/July%202019/Infection%20process.png

      • Task: “6FGz”, Program Loc: \AppData\Roaming\Vv\fhN
      https://www.bleepstatic.com/images/news/u/1109292/July%202019/The%20scheduled–task%20being%20created.png

      2. Pale Moon User
      https://forum.palemoon.org/viewtopic.php?p=170696#p170696
      https://forum.palemoon.org/viewtopic.php?p=170687#p170687

      • Files Dropped at: \AppData\Roaming\Blw\ which contains:
      — FVMIlzQOED.exe (SHA256 hash: 990710490727638897ccf9a6d3fb5dd09a319f2a763e12795501ac2e6d2b07ff)
      — another EXE file (name not indicated by user)
      — other non-EXE files

      • Registry Entry (“Run” on OS start): associated with one of the above EXE files (name not specified by user)

      Personally, I think it would be good if Moonchild could supply one of the major malware researchers with some of the infected files. The researchers would have the expertise & equipment to investigate the archive server breach more deeply, identify gaps, & perhaps narrow down the possible source.

      AVAST probably has one of the infected files (due to early feedback by the Pale Moon user who chanced upon the compromise). It’s not known if AVAST is doing anything what with it might have, but it is in a good position to check this out, esp. with their relatively recent experience investigating the more insidious Piriform CCleaner supply-chain compromise.

      1. Yuliya said on July 12, 2019 at 4:26 pm
        Reply

        Thank you. It seems my computers have not come into contact with one of those tampered installers,

  29. Watako Tatako said on July 11, 2019 at 7:52 am
    Reply

    Lmao. That’s why you always must avoid Google, Microsoft and Mozilla browsers. They’re tracking you, and violate your privacy.

    1. Anonymous said on July 12, 2019 at 12:24 am
      Reply

      The way I read the comments of Watako Tatako (great name!) is that they were ironic or sarcastic–followers of the Pale Moonie cult on here often bash other browsers from the big three as being unsafe to use because “they’re tracking you” and they “violate your privacy.” But look at the reality: it’s Pale Moon that’s really the most insecure, infecting you with trojans and violating you much more seriously. My interpretation could certainly be wrong, of course, but that’s how I read it.

      1. Anonymous said on July 12, 2019 at 4:19 pm
        Reply

        A small part of Pale Moon–the archive–had a problem. I think it’s safe to say that most people don’t use it. It should have been better protected; I don’t think anybody would deny that. But your statement that Pale Moon is “infecting you with trojans and violating you much more seriously” is way overboard. The simple fact of the matter is that Google and Chrome are spy machines and advertising machines.

        Also, no security is perfect, and anybody can be hacked. Remember that several years ago the Windows O/S source code was hacked.

        Nobody needs to be lecturing people on what browser they “should” or “shouldn’t” be using. If somebody wants to use a mainstream browser, search engine, email service, whatever, and offer themselves up as sheeple to be led over the edge by a global monolithic mega-corp, I don’t understand that thought process, but be my guest. I’m not going to tell them they “shouldn’t” do that. I’ll just go in another direction, thanks.

      2. Anonymous said on July 13, 2019 at 4:12 am
        Reply

        We get it–you’re here to defend [Editor: please remain respectful], you want to downplay it (“a small part of Pale Moon”), you want to state–without evidence and based on nothing–that most people weren’t affected, even though you have no way of knowing how many people were affected. We’ll likely never know, and we’ll likely never get an unbiased outside professional assessment of what happened. The simple fact of the matter is that all of those versions of Pale Moon were infected with trojans. I don’t like and don’t use Chrome and IE/Edge, but I’d use Firefox, Chrome, IE/Edge ANY DAY over downloading a browser with a trojan infection.

        Funny how you say “nobody needs to be lecturing people on what browser they “should” or “shouldn’t” be using,” and then you go on to do just that. Funnily enough, no one on this page “lectured people on what browser to use,” but then you come along, lecturing and insulting everyone who uses a “mainstream browser.” You’re not going to tell them they “shouldn’t,” you’ll just insult them and make fun of them if they do. Nice.

        You want to minimize what happened, and talk down to people who don’t use the same browser as you. Thanks but no thanks. Not helpful.

        Maybe Watako Tatako can weigh in on what the original comment really meant.

      3. Anonymous said on July 14, 2019 at 5:49 am
        Reply

        “you want to state–without evidence and based on nothing–that most people weren’t affected”

        I said: “I think it’s safe to say that most people don’t use it.” Not exactly a definitive statement but I think a reasonable one.

        “Funny how you say “nobody needs to be lecturing people on what browser they “should” or “shouldn’t” be using,” and then you go on to do just that.”

        I wasn’t lecturing.

        “Funnily enough, no one on this page “lectured people on what browser to use,””

        You left out the ““or shouldn’t” be using” . . . I’m not going to tell them they “shouldn’t” do that” parts.

        “You want to minimize what happened, and talk down to people who don’t use the same browser as you.”

        I use 3 browsers; which one are you talking about?

        Some of us are a tad over-heated.

        I did say, “I don’t understand that thought process.” Never have. Never will. Thanks.

        My comments stand.

    2. Anonymous said on July 11, 2019 at 3:47 pm
      Reply

      What does your ridiculous comment have to do with Pale Moon, other than nuthin’? This is not a trick question.

    3. Tom said on July 11, 2019 at 11:27 am
      Reply

      Pale Moon is neither Google, Microsoft nor Mozilla, [Editor: please no attacks]

  30. Iron Heart said on July 11, 2019 at 7:43 am
    Reply

    Somebody apparently fucked them over badly. This is extremely bad, but it‘s also worrisome that the hack went undetected for more than 1 1/2 years. I mean, how is that possible? After all, the actual file sizes of the installers changed due to the malware!

    This is why you don‘t use browsers developed by hobby projects. That‘s a massive security flaw in their own archives, and nobody noticed! Instead of berating their users in their forums, maybe they should have spent more time securing their shit.

    I am sure some Malware Moon users will defend this in the following, even if it went undetected for so long. We are not talking about two days here…

    1. 99 said on July 11, 2019 at 5:03 pm
      Reply

      La Le Lu – nur der Mann im Mond schaut zu …

      Iron Heart said on July 9, 2019 at 9:55 pm

      >>>”Firefox is spyware. Use something else if you want any kind of privacy. Pale Moon, Ungoogled Chromium, Brave… All better than Firefox in this respect, to be honest with you.”

      … and when the night is the deepest, 2 days later the enlightenment:

      This is why you don‘t use browsers developed by hobby projects.

      Hey, at last on ghacks.net is land in sight!

      1. Iron Heart said on July 11, 2019 at 6:06 pm
        Reply

        @99

        Oh and as for the song… Sound vomit-inducing. Did that travesty come out of the country of Beethoven, Haendel and Bach? How the Mighty have fallen!

        Revise your music taste as soon as possible.

      2. Iron Heart said on July 11, 2019 at 5:47 pm
        Reply

        @99

        Pale Moon‘s default configuration – is – more privacy-friendly than Firefox. But if it‘s infested with malware (no way I could have known that, really), then it shouldn‘t be used of course. That should be self-explanatory.

        Never mind the devs who behave like… No comment, I think you know their behavior already.

    2. Kubrick said on July 11, 2019 at 10:20 am
      Reply

      @iron heart.
      Bleeping computer and malwarebytes were fucked over badly in the past so should we stop using those too.?.

      The 3 billy goats gruff and the troll under the bridge come to mind.I love the stories of the brothers grimm by the way.

      I expect the palemoon haters to be having multiple orgasms over this and the barrage of comments which will follow will be immense.

      1. Bahb said on July 11, 2019 at 2:43 pm
        Reply

        There is no reason to be so defensive. It is very important to spread this news to warn PM users that their computers may be infected. And, who knows, maybe after this fuckup Manchild and Toady will change their approach to security which will make future realeases of PM safer.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.