On 26.03.2022 13:50, André Rodier wrote:
Hi all,
I would like to collect, from this thread, your experience and opinion
about Mozilla Thunderbird, in term of security.
I am registered on The Debian security list, and I see a lot of CVE
coming, some of them with a high score, mentioning execution of
arbitrary code or information disclosure.
Most of them seems pretty severe to me, and I am now running
Thunderbird in firejail. However, I wonder if such vulnerability would
allow a remote attacker to send an email, and get, for instance, the
credentials stored in Thunderbird, with or without master password.
This seem habitual to me, compared to other mail clients in Debian,
like evolution / claws, etc...
In term of security, Which email clients, or which practices, you
would recommend to me ?
Thanks for your understanding and advice, but please, I don't want to
start a troll.
I've used Thunderbird for many years on different platforms. It is my
favorite mail client and I've never had any major or security problems
with it.
When it comes to security, it is a good thing to have a healthy dose of
paranoia and monitor most recent known threats and vulnerabilities,
however the actual exploitation of them is usually quite difficult if
not impossible, especially if you keep your software up-to-date.
When I search for CVEs for a current version of Thunderbird:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Thunderbird+91
I don't see any results that could affect 91 version. All of them are
for older ( < 91 ) versions of Thunderbird.
There is always a possibility of some 0-day vulnerability in any
software, so if you being smart and exercise some precaution procedures
you still could be fine.
There are many ways, ex.:
You can disable JavaScript in Thunderbird altogether using
"about:config" page.
Never open any URLs inside Thunderbird and copy-paste and edit them
instead, because many of them crafted for purpose of tracking.
Don't open any attachments right away, but save them to disk and inspect
them instead, especially if they come from unknown sources.
Also, any exploit that could be received by mail has to pass through
many filters and AV scanners before it will be delivered, so it makes
exploitation of known vulnerabilities even more difficult for the badguys.
Protecting you credentials with Master Password is a good way to protect
your data if credential db files were somehow stolen by data-miner class
malware, completely unrelated to Thunderbird.
Best antivirus is your head and healthy work habits.
--
With kindest regards, Alexander.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀
