[tor-talk] Thunderbird leak
Mike Cardwell
tor at lists.grepular.com
Tue Jan 28 07:39:06 UTC 2014
* on the Mon, Jan 27, 2014 at 10:56:17AM -0800, Al Billings wrote:
> Yes but you have to choose to view the original html or it doesn't do
> anything. So, by default, users will not be automatically exploited.
> They have to get a bad email and then choose menu options for that one
> email to then be able to click on a link which then might have content
The above statement is all wrong. Thunderbird by default displays emails
as original HTML. Only when you install TorBirdy does that change.
> This is why it was considered a "moderate" security issue.
No, I don't believe that played any part in the classification.
> It isn't a drive by exploit where you send mail to people and then
> something happens to them. They have to actively cooperate to be
> exploited.
It requires the user to receive an email, and then click a link in that
email. This is not unusual behaviour.
> It is a bug, yes, but it isn???t as bad as was being painted the other day here.
It is a horrible bug for Tor users who are using Thunderbird without
TorBirdy. To clarify, at no point did I state that TorBirdy users were
affected. I brought up the issue here exactly so that those sorts of
issues could be investigated.
I suggest if you are going to make any further statements about the
way the bug works, you replicate it first.
The bug report is now public. Somebody has submitted a patch, but
they've also suggested that there may be similar bugs in the MathML
code waiting to be found.
--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140128/9bf85107/attachment.sig>
More information about the tor-talk
mailing list