How-dee! Have you all heard about this:
https://www.securityweek.com/zerodium-o ... y-exploits
Zerodium is interested in zero-day exploits for Outlook and Thunderbird. I have mixed feelings about this. It's good to get the security related bugs found and squashed before the "bad guys" find them but I wouldn't want the Thunderbird developers to be forced to do any more work than they already do, due to a possible "influx" of issues being reported.
Peace...
Zerodium and Thunderbird zero-day exploits
-
- Posts: 1410
- Joined: October 14th, 2003, 7:53 am
- tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Zerodium and Thunderbird zero-day exploits
Nope. Historically most security bugs supposedly fixed for Thunderbird are actually bug fixes in Gecko that don't effect Thunderbird because javascript is disabled for email accounts. You're usually vulnerable only when using the email client like a browser. I'm ignoring somebody doing something inherently risky such as enabling view -> display attachments inline. https://www.mozilla.org/en-US/security/ ... sa2022-03/
I'm pleasantly surprised that they find Thunderbird worth targeting. Most lists of email client market share I've seen have Outlook somewhere in the top 10 and don't even bother listing Thunderbird. For example https://www.litmus.com/blog/email-clien ... gust-2021/ . On the other hand Windows Live Mail tends to make the top 10 list . That seems suspicious.
I'm pleasantly surprised that they find Thunderbird worth targeting. Most lists of email client market share I've seen have Outlook somewhere in the top 10 and don't even bother listing Thunderbird. For example https://www.litmus.com/blog/email-clien ... gust-2021/ . On the other hand Windows Live Mail tends to make the top 10 list . That seems suspicious.