back to article Thunderbird gets its EFAIL patch

Thunderbird has pushed code with fixes for a dozen security vulnerabilities – including the EFAIL encryption mess that emerged in May. The EFAIL-specific fixes address two errors in Thunderbird's handling of encrypted messages: CVE-2018-12372, in which an attacker can build S/MIME and PGP decryption oracles in HTML messages; …

  1. TReko

    Good to see it's still in development

    We use it as a mail client and find it hard to beat.

    1. big_D Silver badge

      Re: Good to see it's still in development

      At my last employer, an open source security company, they used that and Claws.

      It is starting to feel a bit dated and needs a little more love, but it is still a solid program.

    2. fobobob

      Re: Good to see it's still in development

      Shame the current plan is to commit the same lobotomy they performed on Firefox.

      1. Dan 55 Silver badge

        Re: Good to see it's still in development

        They don't have enough resources to fork Gecko so they've got no choice.

        If Thunderbird pooled resources with Pale Moon, Waterfox, Basilisk, and SeaMonkey they might be able to maintain an older Gecko but open source is like herding cats.

        1. Doctor Syntax Silver badge

          Re: Good to see it's still in development

          "If Thunderbird pooled resources with Pale Moon, Waterfox, Basilisk, and SeaMonkey"

          Even better, if they, and preferably Seamonkey, had gone over to the Document Foundation when that was proposed a few years ago...

    3. Fungus Bob

      Re: and find it hard to beat

      The same can be said about erectile dysfunction.

  2. _LC_ Silver badge

    Filed under "bugs which require your assistance".

    HTML and scripting in e-mails - disabled by default. Take that as a hint. ;-)

  3. Dan 55 Silver badge

    On SettingContent-ms files...

    MSRC responded with a note that the severity of the issue is below the bar for servicing and that the case will be closed.

    So Thunderbird is more secure than Office.

    I'll guess we'll just have to wait for someone to exploit it before MS do something about it.

    1. big_D Silver badge

      Re: On SettingContent-ms files...

      There was no mention of Office in the article... :-S But, generally, it is probably more secure, because it does less (KISS).

      The problem you mention is the execution of control panel shortcuts within Thunderbird on Windows. The problem, among other things, is the <DEEPLINK> tag. If a manipulated attachment on an email in Thunderbird is opened, it can execute the embedded patch to an executable.

      This is a problem with the .SettingContent-ms specification and will affect any application that allows these settings files to be executed. They are designed to be used locally, to open direct control panel elements, it seems it wasn't envisioned that they would be manipulated and sent per e-mail or downloaded from malicious websites. The same old story, a useful tool, where the developers didn't think far enough, when it comes to security.

      This is a Windows 10 problem, bu it affects any application that allows the files to be opened or executed.

      1. Dan 55 Silver badge

        Re: On SettingContent-ms files...

        You don't need to explain it to me, I read the link given in the article, which is where the mention of Office was.

        And in that linked page we find that MS decided it wasn't worth updating Office to filter out this filetype (see text I quoted from the linked page above). I guess they will when the exploits roll in... indicating MS is following the Adobe whack-a-mole method of bug fixing and Thunderbird, with much more limited resources, is more proactive.

        1. big_D Silver badge

          Re: On SettingContent-ms files...

          The easiest way is to block it yourself. You can add it to the blocked filetype list in GPOs.

          1. Steve Davies 3 Silver badge

            Re: Using GPO's

            And exactly what percentage of 'normal' users out there will even know about GPO's let alone how to use them for this purpose.

            Not everyone is in a corporate environment you know.

          2. Dan 55 Silver badge
            Thumb Up

            Re: On SettingContent-ms files...

            Ok, I'll tell my Dad who's running W10 Home that the easiest way is to block it himself by changing group policy.

  4. Anonymous Coward
    Anonymous Coward

    no love

    I was forced by MS to shift to Thunderbird when they killed off hotmail/livemail support, and I must say that it has been ALWAYS an unpleasant experience. Yes, it works, to a fashion (if MS servers don't refuse connection, which is MS issue of course), but other than that - the interface is clunky, user-unfriendly, settings are all over the place. Judging by developers' (?) replies to comments about it (why do you find it hard, WE FIND IT EASY), it's the usual problem of mis-matching viewpoint.

    And then, over the last two years, they haven't bothered to fix the bug (a "feature", I'm sure!), which had been reported a couple of years prior to that, i.e. every odd time (yes, ODD TIME) it shows the spam-ad for thunderbird in the message preview window. Yes, I DO know how to turn it off, it does not work. Or rather, sometimes it does, sometimes it does not, no rhyme or rhythm. I can live with it, sure, but it's like that stitching in your shoe, that makes you remember (not in a good way), every time to go take a walk.

    And yet, the magic of free...

    1. John Crisp

      Re: no love

      We use it all the time and it works pretty well.

      However, from personal experience I completely agree with this

      "Judging by developers' (?) replies to comments about it (why do you find it hard, WE FIND IT EASY)"

      Their attitude is frequently pompous and arrogant with a 'lalala' fingers in ears, not listening attitude. That sucks big style. You start by wanting to try and help, and end up walking away.

      I'm sure that whatever they produce it will be a pile of spaghetti which they'll think is great, no matter how much criticism they get.

      Ah well. Still prefer it to drinking the M$ Koolaid. It could just be so much better.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020