Zerodium and Thunderbird zero-day exploits

Discussion of general topics about Mozilla Thunderbird
Post Reply
tomdkat
Posts: 1410
Joined: October 14th, 2003, 7:53 am

Zerodium and Thunderbird zero-day exploits

Post by tomdkat »

How-dee! Have you all heard about this:

https://www.securityweek.com/zerodium-o ... y-exploits

Zerodium is interested in zero-day exploits for Outlook and Thunderbird. I have mixed feelings about this. It's good to get the security related bugs found and squashed before the "bad guys" find them but I wouldn't want the Thunderbird developers to be forced to do any more work than they already do, due to a possible "influx" of issues being reported.

Peace...
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Zerodium and Thunderbird zero-day exploits

Post by tanstaafl »

Nope. Historically most security bugs supposedly fixed for Thunderbird are actually bug fixes in Gecko that don't effect Thunderbird because javascript is disabled for email accounts. You're usually vulnerable only when using the email client like a browser. I'm ignoring somebody doing something inherently risky such as enabling view -> display attachments inline. https://www.mozilla.org/en-US/security/ ... sa2022-03/

I'm pleasantly surprised that they find Thunderbird worth targeting. Most lists of email client market share I've seen have Outlook somewhere in the top 10 and don't even bother listing Thunderbird. For example https://www.litmus.com/blog/email-clien ... gust-2021/ . On the other hand Windows Live Mail tends to make the top 10 list . That seems suspicious.
Post Reply