Re: Thunderbird security

To: debian-user@lists.debian.org
Subject: Re: Thunderbird security
From: "Alexander V. Makartsev" <avbetev@gmail.com>
Date: Sat, 26 Mar 2022 16:53:02 +0500
Message-id: <[🔎] b5209abb-7d8d-4244-7cec-b85014fd8b98@gmail.com>
In-reply-to: <[🔎] 0cce3c63-62b9-404b-a75f-f65586205a5d@rodier.me>
References: <[🔎] 0cce3c63-62b9-404b-a75f-f65586205a5d@rodier.me>

On 26.03.2022 13:50, André Rodier wrote:

Hi all,
I would like to collect, from this thread, your experience and opinionabout Mozilla Thunderbird, in term of security.
I am registered on The Debian security list, and I see a lot of CVEcoming, some of them with a high score, mentioning execution ofarbitrary code or information disclosure.
Most of them seems pretty severe to me, and I am now runningThunderbird in firejail. However, I wonder if such vulnerability wouldallow a remote attacker to send an email, and get, for instance, thecredentials stored in Thunderbird, with or without master password.
This seem habitual to me, compared to other mail clients in Debian,like evolution / claws, etc...
In term of security, Which email clients, or which practices, youwould recommend to me ?
Thanks for your understanding and advice, but please, I don't want tostart a troll.

I've used Thunderbird for many years on different platforms. It is myfavorite mail client and I've never had any major or security problemswith it.When it comes to security, it is a good thing to have a healthy dose ofparanoia and monitor most recent known threats and vulnerabilities,however the actual exploitation of them is usually quite difficult ifnot impossible, especially if you keep your software up-to-date.


When I search for CVEs for a current version of Thunderbird:
    https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Thunderbird+91

I don't see any results that could affect 91 version. All of them arefor older ( < 91 ) versions of Thunderbird.

There is always a possibility of some 0-day vulnerability in anysoftware, so if you being smart and exercise some precaution proceduresyou still could be fine.

There are many ways, ex.:

You can disable JavaScript in Thunderbird altogether using"about:config" page.Never open any URLs inside Thunderbird and copy-paste and edit theminstead, because many of them crafted for purpose of tracking.Don't open any attachments right away, but save them to disk and inspectthem instead, especially if they come from unknown sources.Also, any exploit that could be received by mail has to pass throughmany filters and AV scanners before it will be delivered, so it makesexploitation of known vulnerabilities even more difficult for the badguys.Protecting you credentials with Master Password is a good way to protectyour data if credential db files were somehow stolen by data-miner classmalware, completely unrelated to Thunderbird.


Best antivirus is your head and healthy work habits.

--
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀

Reply to:

References:
- Thunderbird security
  - From: André Rodier <andre@rodier.me>

Prev by Date: Re: Thunderbird security
Next by Date: Re: Under each of these scenarios, what is the neatest and simplest way to manipulate the /etc/network/interfaces file?
Previous by thread: Re: Thunderbird security
Next by thread: Thunderbird security
Index(es):
- Date
- Thread