Thunderbird/firefox and remote attacks

[afora]

I was curious if anyone could recommend a good read on the relationship between thunderbird and firefox. I'm curious why vulnerabilities are usually reported for both of the products.

I understand that they share large swathe of libraries where bugs can be shared.

What I do not understand is why under specific conditions TB operates in, e.g. :

• - no javascript allowed in messages, or
  - auto-loading of content from the server can be disabled while opening HTML messages

they do not render those shared engine vulnerabilities irrelevant to TB in terms of remote attacks? Remote, as opposed to local.

Note: I understand that vulnerabilities related to impersonation, or code injection while communicating to SMTP and the like exist. But those cannot compromise the system running TB by a remote attacker.

Many thanks for any hints!

[morat]

You can use Thunderbird as a web browser.

Using Thunderbird as a web browser
http://discourse.mozilla.org/t/80976

You are using Thunderbird as a web browser when configuring a Gmail account on the accounts.gmail.com page.

Thunderbird and Gmail
http://support.mozilla.org/kb/thunderbird-and-gmail
http://www.youtube.com/watch?v=JXs_YE9QyUQ&t=56s

The BrowseInTab addon lets you open any link in a tab.

BrowseInTab
http://addons.thunderbird.net/thunderbird/addon/987779

[afora]

Thanks morat again, and conversely, if you do not browse (specifically risky parts of) the internet with TB, you do not have a problem then?

Also, while you mention this, is it possible to remove the browser engine from TB completely, so this (even as remote as it is) possibility of being penetrated is completely addressed? The only unsatisfactory answer I found - http://forums.mozillazine.org/viewtopic ... &t=2850911.

The reason I'm asking all these questions is that over the last coupla years, despite a bag of money mozillas is sitting one, TB's leadership shown it's remarkable incompetence by creating a runaway train of bugs and anti-features. Or is it even incompetence? Indeed! I can see the writing on the wall as it will turn most users away over time. Heck, it did me as I ditched the 102 for good, as I'm so over wasting my time with this mess. And I'm far from being an average user. Which brings me back to a question what options I have, if TB folds in 3-5 years from now completely.

One option is to stick to an old release as long as I can manage most vulnerabilities that will be discovered over time. And it looks to me that this is quite possible, as I dont care that much about email impersonation (e.g. via SMTP comms injections) but am mostly concerned about compromising the local system. And it seems as if all can be managed by disabling remote content loading from the server, and disabling javascript leftovers in the console. You can even leave HTML alone if you are not stupid enough to respond to phishing attacks.

What are your thoughts?

[tanstaafl]

Its risky to use an add-on with Thunderbird to make it a general purpose web browser as it was not designed for that, and the developers have a long history of deliberately delaying adopting security fixes that are browser-centric. Thunderbird is also very prone to regression errors and has far less testing than Firefox.

I recommend you only use add-ons such as BrowseInTab with a small number of web sites that you know are safe.

"despite a bag of money mozillas is sitting one, TB's leadership shown it's remarkable incompetence by creating a runaway train of bugs and anti-features."

Its misleading to still think of Thunderbird as part of Mozilla. They've been independent for a good while. Mozilla stopped funding the project but still acts as a fiscal/legal home. The separation started in 2012 when Mitchell Baker publicly stated Mozilla's decision to transition Thunderbird to a new release and governance model.

In 2017 the Thunderbird project decided between Software Freedom Conservancy (SFC), the Document Foundation (TDF), or a new deal with Mozilla Foundation as their new home. They decided to make a new deal with Mozilla. They now use a new subsidiary of Mozilla, MZLA Technologies Corporation, as their home to provide them more freedom in what products and services they offer. The Thunderbird Council has confirmed in the tb-planning mailing list their earlier statement that if their needs change Mozilla will let them chose a different home again (not affiliated with Mozilla).

The project is not funded by Mozilla, it relies upon user donations for its income. See https://blog.thunderbird.net/2022/05/th ... al-report/ . Firefox developers have been told not to waste any time preventing any changes from creating bugs in Thunderbird. This is the so-called "Thunderbird tax" that Mozilla management in 2015 very publicly complained was effecting Firefox development. https://arstechnica.com/information-tec ... o-drop-it/

Mozilla still owns the Thunderbird trademarks. The project has problems making their mind up about what branding they will use. In some places they still mention Mozilla, in others they've dropped mention of it. There is a bug report about that.

"Which brings me back to a question what options I have, if TB folds in 3-5 years from now completely."

I don't see any reason to worry about that. However, there are other projects based on modifications to Thunderbird's source code such as BetterBird at https://www.betterbird.eu that might become more mainstream if that happens. BetterBird is lead by a former Thunderbird developer and feeds their fixes to Thunderbird. Some get quietly adopted, others ignored.

[afora]

Thanks tanstaafl, and before a decent replacement appears (I dont see betterbird in any repo apart from ArchLinux which is still a very good start), do you think the security strategy I'm thinking of is too dangerous. I do not browse the internet with TB at all, zilch, nada.

[tanstaafl]

"I'm curious why vulnerabilities are usually reported for both of the products."

Why shouldn't they be? Even though both products are based on the Gecko engine they're used in quite different environments.

Many of the listed Thunderbird vulnerabilities would require javascript to be enabled for email and it isn't, but there are still some legitimate email vulnerabilities that get listed. They also test non-mail protocols such as Matrix. The Thunderbird developers don't want to modify Gecko as they don't want the burden of maintaining a fork, but in a few cases they have made minor modifications. So I think the separate Thunderbird security advisories are useful, despite their tendency to treat Thunderbird as a browser.

"do you think the security strategy I'm thinking of is too dangerous"

I think how good you are at deciding what attachments are safe to open, what to click on, and whether you have good habits such as disabling view -> display attachments inline matters more than what version you are using if you are using Thunderbird just for email. So you could safely use obsolete versions such as 60.* as long as you don't run into restrictions such as the mail server requires a version of TLS that your version of Thunderbird doesn't support (that is starting to happen), or it dropping support for all of the ciphers your version supports (that has happened to a number of users). However, I would recommend not using anything older than the prior major version for email. Right now that is 91.*. Its not worth the added risk to stick with too old a version.

Your user agent string says you are using Firefox 78. I think that is dangerous, a browser is used in a lot riskier environment than a email client. I recommend you keep Firefox up to date. Right now that appears to 106.0.4

[afora]

Thanks tanstaafl, thanks for confirming this. Ignoring functionality incompatibilities and focusing on security alone, I do not understand why upgrading because "we do not know of any threats given your restrictive use case for v60, but recommend anyway just in case" works in principle. You always have zero-day vulnerabilities even in the 102. Additionally, due to sloppy testing in the recent years, the number of bugs for each respective main release of TB has grown parabolically. I think there's just as strong argument to stay away from 102 because there may be parabolically more zero-day vulnerabilities there just as well.

Also, this is firefox 78 with security patches applied as supplied by my distro package manager. It will be as secure as the 106. But thanks for noticing it

Appreciate your thoughts as I'm trying to understand where I am standing.

[tanstaafl]

Every Thunderbird release is pretty buggy, they just don't have the testing resources. Thunderbird also suffers from a lot of regression errors.

But I wouldn't lump security bugs and normal bugs together as the impact is quite different and in general (for Thunderbird) they appear to be found by different groups of people. Security bugs seem to be primarily Gecko bugs and that appears to slowly get better over time for Thunderbird, which has a smaller attack surface than Firefox. The biggest uncertainty is the first couple of months after a major release as that will fix some security bugs that are still in the prior major release but will also add new ones, making it unclear whether you are better off upgrading or not.

The other wrinkle is that Thunderbird has a trivial market share compared to other email clients, essentially less than 0.1% if you count webmail. A custom attack for Thunderbird has a poor ROI.

Everybody's situation seems to be different. Please don't take my suggestions as criticism.

One alternative you might consider would be to run a more recent version of Thunderbird from a light weight sandbox such as Sandboxie Plus (https://sandboxie-plus.com) to isolate any potential damage. Its free.