Thunderbird Audit reveals unpatched security issues

A recent security audit of the email client Thunderbird and the encryption extension Enigmail revealed unpatched security issues in the email program and in Enigmail.
The report has not been released yet as issues are not yet patched in the Thunderbird program. The researchers found 22 vulnerabilities in total in both programs; three of the vulnerabilities received a critical rating, five a rating of high.
Update: Thunderbird 52.5.2 fixes the vulnerabilities.
Some results of the audit were posted on the Posteo blog. All issues that the researchers found in Enigmail have been fixed already in Enigmail 1.9.9 which users can download from the official project website.
This version addresses a number of security vulnerabilities discovered by Cure53 during an audit of Thunderbird with Enigmail. The audit report covers both Thunderbird and Enigmail. As some vulnerabilities are still unfixed on the side of Thunderbird, we currently only publish an excerpt of the report with the issues found in Enigmail.
The report has not been published in its entirety yet, but Posteo has some insights for Thunderbird users to reduce the risk of running into exploits.
The following recommendations have been posted:
- Thunderbird should be updated to the latest version as soon as it is released.
- Users should not use RSS feeds in Thunderbird. The researches found critical issues in the handling of RSS feeds that can reveal the "entire communication" and "other sensitive data".
- Don't use add-ons. If you have to use add-ons, only use verified add-ons.
If you use Thunderbird to read RSS feeds, then you may want to consider disabling the functionality for the time being until a patch is released. Posteo notes however that it may take until Thunderbird 59 which won't be out for months.
Here is how you turn off the functionality for now:
- Locate the "Blogs & News Feed" listing in the Thunderbird sidebar.
- Right-click on it, and select Settings.
- You have two options now:
- Select Account Actions, and select "Remove Account". This removes all feeds and the feed account from Thunderbird. Note that you cannot restore it afterwards anymore.
- Remove the checkmark from "check for new articles at startup" and "check for new articles every x minutes". This keeps the RSS feeds, but won't retrieve new ones on startup or automatically.
The second option may be less secure. I cannot say for sure as the vulnerability has not been revealed yet. If you want to make sure, delete the feed account in Thunderbird. You can make a backup first to restore the account after the update has been released.


You said that Outlook isn’t your main email client, so which is your main one?
I think its thunderbird
It is Mozilla Thunderbird.
Awesome! This actually solved my problem… what a stupid bug.
If this is the same bug that I’ve encountered, there may be another fix: (1) hover over open Outlook item in Taskbar, cursor up to hover over Outlook window item, and right-click; (2) this should give you Restore / Move / Size / Minimize / Maximize — choose Move or Size; (3) use your cursor keys, going arbitrarily N/S/E/W, to try to move or size the Outlook window back into view. Basically, the app behaves as though it were open in a 0x0 window, or at a location that’s offscreen, and this will frequently work to resize and/or move the window. Don’t forget to close while resized/moved, so that Outlook remembers the size/position for next time.
THANK YOU Claude!!! I could get the main window to launch but could not get any other message window to show on the desktop. You are my hero!!!!
Solved my issue! 6 years later and this is still problem…
Fantastic. Thank you. Size did the trick.
This solved my Outlook problem, too. Thank you. :)
Thank you so much, this started happening to me today and was causing big problems. You are a life saver, I hope I can help you in some way some day.
You are a god – thank you!
thanks a lot…. work like charm.. :-)
Yah…thanks Claude. I’ve been having the same problem and tried all the suggestions…your solution was the answer. It had resized itself to a 0/0 box. Cheers
Excellent post. This had me baffled even trying to accurately describe the problem. This fixed it for me.
Thank you
Thanks a lot for the article. Don’t know why it happenend, don’t know how it got fixed, but it was really annoying and now it works :-)
Thanks a lot. I was facing this issue from past 3 week. I tried everything but no resolution. The issue was happening intermittently and mainly when I was changing the display of screen ( as i use 2 monitors). The only option i had was to do system restore. But thanks to you.
I’ve been tried to sole this problem for 12hours. Your comment about changing the display of screen helped me a lot!! Thanks!!
Thank you…don’t know why this happened but your instructions helped me fix it. Running Windows 10 and office pro 2007
Great tip! Thanks!
Worked for me, too – thank you!!!
It’s Worked for me, too
thank you very much!
I had a similar issue with Outlook 2013 on Windows 10 and this helped me to fix it. Thank you very much!
Thank you so much. Solved!
Considering you published this in 2012, incredible not been debugged by Microsoft.
Thank you again. M
This problem was faced by only one user logging to TS 2008 r2 using outlook 2010.The issue was resolved.
Thanks.
Great tip. Thank you!!!! If it helps, I had to use the Control Key and the arrow keys at the same time to bring my window back into view. Worked like a charm.
Thank you, this worked !!!!
Man, you are a fucking god. Thanks a lot, what an annoying bug!!
Awesome, this post solved the issue. Many thanks!