Thunderbird Audit reveals unpatched security issues
A recent security audit of the email client Thunderbird and the encryption extension Enigmail revealed unpatched security issues in the email program and in Enigmail.
The report has not been released yet as issues are not yet patched in the Thunderbird program. The researchers found 22 vulnerabilities in total in both programs; three of the vulnerabilities received a critical rating, five a rating of high.
Update: Thunderbird 52.5.2 fixes the vulnerabilities.
Some results of the audit were posted on the Posteo blog. All issues that the researchers found in Enigmail have been fixed already in Enigmail 1.9.9 which users can download from the official project website.
This version addresses a number of security vulnerabilities discovered by Cure53 during an audit of Thunderbird with Enigmail. The audit report covers both Thunderbird and Enigmail. As some vulnerabilities are still unfixed on the side of Thunderbird, we currently only publish an excerpt of the report with the issues found in Enigmail.
The report has not been published in its entirety yet, but Posteo has some insights for Thunderbird users to reduce the risk of running into exploits.
The following recommendations have been posted:
- Thunderbird should be updated to the latest version as soon as it is released.
- Users should not use RSS feeds in Thunderbird. The researches found critical issues in the handling of RSS feeds that can reveal the "entire communication" and "other sensitive data".
- Don't use add-ons. If you have to use add-ons, only use verified add-ons.
If you use Thunderbird to read RSS feeds, then you may want to consider disabling the functionality for the time being until a patch is released. Posteo notes however that it may take until Thunderbird 59 which won't be out for months.
Here is how you turn off the functionality for now:
- Locate the "Blogs & News Feed" listing in the Thunderbird sidebar.
- Right-click on it, and select Settings.
- You have two options now:
- Select Account Actions, and select "Remove Account". This removes all feeds and the feed account from Thunderbird. Note that you cannot restore it afterwards anymore.
- Remove the checkmark from "check for new articles at startup" and "check for new articles every x minutes". This keeps the RSS feeds, but won't retrieve new ones on startup or automatically.
The second option may be less secure. I cannot say for sure as the vulnerability has not been revealed yet. If you want to make sure, delete the feed account in Thunderbird. You can make a backup first to restore the account after the update has been released.
Wonder how many unpatched vulnerabilities remain in Outlook… oh yeah, we’ll never know – closed source.
Looks like Autocrypt may be a good alternative to Enigmail: https://autocrypt.org/
Also mentioned in the Posteo blog: https://posteo.de/en/blog
I think you misunderstand. Autocrypt is an encryption method that is supported by various applications, including Enigmail.
Locate the “Blogs & News Feed” listing in the Thunderbird sidebar.
cannot find sidebar or blogs & news feed. perhaps because I would never use
fucking great! The update broke stylish now I’ve got this damn bright white background again. I was using Thunderbird Dark.
Now I can’t even locate the stylish extension for thunderbird :(
So, I was able to copy the CSS code from the userstyles.org page for Thunderbird Dark and paste it into a userChrome.css file I created in the chrome folder I created in my thunderbird profile folder. Does anyone know how to modify the CSS to get the style into the calender as well?
I’m afraid I don’t get it. There seems to be conflicting information in the article. What is fixed and what is not fixed ? There is a link to Thunderbird 55.5.2, but it leads to 52.5.2.
It is 52.5.2, sorry for that. I fixed the typo.
Typo, the current version of Thunderbird is 52.5.2, you incorrectly stated it as version 55.5.2 in your update :)
I was going to complain about letting those vulnerabilities linger until v59, but just saw that Thunderbird has updated to 52.5.2, which seems to have taken care of them. Looks like I won’t have to remove my GHacks feed after all… ;-)
You are right, what a relief ;)