Thunderbird Audit reveals unpatched security issues - gHacks Tech News

Thunderbird Audit reveals unpatched security issues

A recent security audit of the email client Thunderbird and the encryption extension Enigmail revealed unpatched security issues in the email program and in Enigmail.

The report has not been released yet as issues are not yet patched in the Thunderbird program. The researchers found 22 vulnerabilities in total in both programs; three of the vulnerabilities received a critical rating, five a rating of high.

Update: Thunderbird 52.5.2 fixes the vulnerabilities.

Some results of the audit were posted on the Posteo blog. All issues that the researchers found in Enigmail have been fixed already in Enigmail 1.9.9 which users can download from the official project website.

This version addresses a number of security vulnerabilities discovered by Cure53 during an audit of Thunderbird with Enigmail. The audit report covers both Thunderbird and Enigmail. As some vulnerabilities are still unfixed on the side of Thunderbird, we currently only publish an excerpt of the report with the issues found in Enigmail.

thunderbird security issues rss

The report has not been published in its entirety yet, but Posteo has some insights for Thunderbird users to reduce the risk of running into exploits.

The following recommendations have been posted:

  • Thunderbird should be updated to the latest version as soon as it is released.
  • Users should not use RSS feeds in Thunderbird. The researches found critical issues in the handling of RSS feeds that can reveal the "entire communication" and "other sensitive data".
  • Don't use add-ons. If you have to use add-ons, only use verified add-ons.

If you use Thunderbird to read RSS feeds, then you may want to consider disabling the functionality for the time being until a patch is released. Posteo notes however that it may take until Thunderbird 59 which won't be out for months.

Here is how you turn off the functionality for now:

  1. Locate the "Blogs & News Feed" listing in the Thunderbird sidebar.
  2. Right-click on it, and select Settings.
  3. You have two options now:
    1. Select Account Actions, and select "Remove Account". This removes all feeds and the feed account from Thunderbird. Note that you cannot restore it afterwards anymore.
    2. Remove the checkmark from "check for new articles at startup" and "check for new articles every x minutes". This keeps the RSS feeds, but won't retrieve new ones on startup or automatically.

The second option may be less secure. I cannot say for sure as the vulnerability has not been revealed yet. If you want to make sure, delete the feed account in Thunderbird. You can make a backup first to restore the account after the update has been released.

Summary
Thunderbird Audit reveals unpatched security issues
Article Name
Thunderbird Audit reveals unpatched security issues
Description
A recent security audit of the email client Thunderbird and the encryption extension Enigmail revealed unpatched security issues in the email program and in Enigmail.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Elias Fotinis said on December 27, 2017 at 5:33 pm
    Reply

    I was going to complain about letting those vulnerabilities linger until v59, but just saw that Thunderbird has updated to 52.5.2, which seems to have taken care of them. Looks like I won’t have to remove my GHacks feed after all… ;-)

    1. Martin Brinkmann said on December 27, 2017 at 5:45 pm
      Reply

      You are right, what a relief ;)

  2. Jonathan said on December 27, 2017 at 7:22 pm
    Reply

    Typo, the current version of Thunderbird is 52.5.2, you incorrectly stated it as version 55.5.2 in your update :)

  3. Clairvaux said on December 27, 2017 at 7:33 pm
    Reply

    I’m afraid I don’t get it. There seems to be conflicting information in the article. What is fixed and what is not fixed ? There is a link to Thunderbird 55.5.2, but it leads to 52.5.2.

    1. Martin Brinkmann said on December 27, 2017 at 7:36 pm
      Reply

      It is 52.5.2, sorry for that. I fixed the typo.

  4. Dave said on December 27, 2017 at 11:13 pm
    Reply

    fucking great! The update broke stylish now I’ve got this damn bright white background again. I was using Thunderbird Dark.

    Now I can’t even locate the stylish extension for thunderbird :(

    1. Dave said on December 27, 2017 at 11:20 pm
      Reply

      So, I was able to copy the CSS code from the userstyles.org page for Thunderbird Dark and paste it into a userChrome.css file I created in the chrome folder I created in my thunderbird profile folder. Does anyone know how to modify the CSS to get the style into the calender as well?

  5. Fena said on December 28, 2017 at 1:38 am
    Reply

    Locate the “Blogs & News Feed” listing in the Thunderbird sidebar.

    cannot find sidebar or blogs & news feed. perhaps because I would never use

  6. TelV said on December 28, 2017 at 4:40 pm
    Reply

    Looks like Autocrypt may be a good alternative to Enigmail: https://autocrypt.org/

    Also mentioned in the Posteo blog: https://posteo.de/en/blog

    1. foolishgrunt said on December 28, 2017 at 8:02 pm
      Reply

      I think you misunderstand. Autocrypt is an encryption method that is supported by various applications, including Enigmail.

  7. Robin Close said on December 29, 2017 at 6:40 pm
    Reply

    Wonder how many unpatched vulnerabilities remain in Outlook… oh yeah, we’ll never know – closed source.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.