[tor-talk] Thunderbird leak

Mike Cardwell tor at lists.grepular.com
Tue Jan 28 07:39:06 UTC 2014


* on the Mon, Jan 27, 2014 at 10:56:17AM -0800, Al Billings wrote:

> Yes but you have to choose to view the original html or it doesn't do
> anything. So, by default, users will not be automatically exploited.
> They have to get a bad email and then choose menu options for that one
> email to then be able to click on a link which then might have content

The above statement is all wrong. Thunderbird by default displays emails
as original HTML. Only when you install TorBirdy does that change.

> This is why it was considered a "moderate" security issue.

No, I don't believe that played any part in the classification.

> It isn't a drive by exploit where you send mail to people and then
> something happens to them. They have to actively cooperate to be
> exploited.

It requires the user to receive an email, and then click a link in that
email. This is not unusual behaviour.

> It is a bug, yes, but it isn???t as bad as was being painted the other day here.

It is a horrible bug for Tor users who are using Thunderbird without
TorBirdy. To clarify, at no point did I state that TorBirdy users were
affected. I brought up the issue here exactly so that those sorts of
issues could be investigated.

I suggest if you are going to make any further statements about the
way the bug works, you replicate it first.

The bug report is now public. Somebody has submitted a patch, but
they've also suggested that there may be similar bugs in the MathML
code waiting to be found.

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140128/9bf85107/attachment.sig>


More information about the tor-talk mailing list