A recent security audit of the email client Thunderbird and the encryption extension Enigmail revealed unpatched security issues in the email program and in Enigmail.
The report has not been released yet as issues are not yet patched in the Thunderbird program. The researchers found 22 vulnerabilities in total in both programs; three of the vulnerabilities received a critical rating, five a rating of high.
Update: Thunderbird 52.5.2 fixes the vulnerabilities.
Some results of the audit were posted on the Posteo blog. All issues that the researchers found in Enigmail have been fixed already in Enigmail 1.9.9 which users can download from the official project website.
This version addresses a number of security vulnerabilities discovered by Cure53 during an audit of Thunderbird with Enigmail. The audit report covers both Thunderbird and Enigmail. As some vulnerabilities are still unfixed on the side of Thunderbird, we currently only publish an excerpt of the report with the issues found in Enigmail.
The report has not been published in its entirety yet, but Posteo has some insights for Thunderbird users to reduce the risk of running into exploits.
The following recommendations have been posted:
If you use Thunderbird to read RSS feeds, then you may want to consider disabling the functionality for the time being until a patch is released. Posteo notes however that it may take until Thunderbird 59 which won't be out for months.
Here is how you turn off the functionality for now:
The second option may be less secure. I cannot say for sure as the vulnerability has not been revealed yet. If you want to make sure, delete the feed account in Thunderbird. You can make a backup first to restore the account after the update has been released.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.