Practical Technology

for practical people.

Thunderbird security woes

When Firefox 2.0.0.12 came out on Feb. 7, it brought with it fixes for three critical security holes and seven that were not quite so serious. According to the security advisories, many of these problems were also fixed in the Thunderbird 2.0.0.12 e-mail client. Unfortunately, there is no Thunderbird 2.0.0.12.

The Mozilla Foundation’s press release focused on the Firefox 2.0.0.12 security fixes. The Foundation also reported, though, in its MFSA (Mozilla Foundation Security Advisory), that these same bugs had been fixed in the fictitious Thunderbird 2.0.0.12.

Specifically, the following critical security advisories were reported to be fixed in both Firefox and Thunderbird 2.0.0.12: MFSA 2008-01 (crashes with evidence of memory corruption) and MFSA 2008-03 (privilege escalation, XSS, remote code execution). In addition, the serious security bug MFSA 2008-05 (directory traversal via chrome: URI) and moderate security bug MFSA 2008-08 (file action dialog tampering) are reported to have been fixed in the nonexistent Thunderbird 2.0.0.12.

All of these security problems can be traced back to how the Web browser engine behind both Firefox and Thunderbird, Gecko, handles JavaScript. Or, to be more exact, the core problem lies in how this layout engine mishandles JavaScript.

The brute-force solution is simply to make sure that JavaScript is never enabled in Thunderbird. Unlike in Web browsers, where disabling JavaScript is far more serious in that it also disables some JavaScript-dependent Web sites, there’s seldom any call for using JavaScript with HTML-formatted e-mail messages.

Still, it is upsetting that Mozilla reports that these problems have been fixed in a version of Thunderbird that doesn’t exist. The latest version of Thunderbird is 2.0.0.9.

DesktopLinux.com tried to reach the Mozilla Foundation Feb. 8 for an explanation, but, as of the afternoon of Feb. 11, the Foundation had not replied.

There has long been concern that Thunderbird was not a real priority for Mozilla. In September 2007, Mozilla announced that it was spinning Thunderbird off into a company of its own: MailCo. Only weeks later, Scott McGregor, one of Thunderbird’s two key developers, left Mozilla. This reignited Thunderbird users’ fears that Mozilla was not so much moving Thunderbird out as throwing it out.

Since that time, MailCo has still not left the launch pad. Dr. David Ascher, formerly chief technology officer and vice president of engineering for ActiveState, and a director of the Python Software Foundation, is heading the effort to found the company. On his blog, Ascher reported that as of Jan. 15, Dan Mosedale, once he’s done with his work on the forthcoming Firefox 3, will be helping to get MailCo off the ground.

It appears, though, based on the postings in the blog, that MailCo is still months away from opening its doors. In the meantime, there appears to be little work being done on Thunderbird despite these misleading messages indicating that security fixes are still being delivered to the popular open-source e-mail client.

A version of this story first appeared in DesktopLinux.

Comments are closed.