DesktopLinux
Home  |  News  |  Articles  |  Forum  |  Polls  |  Blogs  |  Videos  |  ITLink

Keywords: Match:
Thunderbird security woes
Feb. 11, 2008

When Firefox 2.0.0.12 came out on Feb. 7, it brought with it fixes for three critical security holes and seven that were not quite so serious. According to the security advisories, many of these problems were also fixed in the Thunderbird 2.0.0.12 e-mail client. Unfortunately, there is no Thunderbird 2.0.0.12.

The Mozilla Foundation's press release focused on the Firefox 2.0.0.12 security fixes. The Foundation also reported, though, in its MFSA (Mozilla Foundation Security Advisory), that these same bugs had been fixed in the fictitious Thunderbird 2.0.0.12.

Specifically, the following critical security advisories were reported to be fixed in both Firefox and Thunderbird 2.0.0.12: MFSA 2008-01 (crashes with evidence of memory corruption) and MFSA 2008-03 (privilege escalation, XSS, remote code execution). In addition, the serious security bug MFSA 2008-05 (directory traversal via chrome: URI) and moderate security bug MFSA 2008-08 (file action dialog tampering) are reported to have been fixed in the nonexistent Thunderbird 2.0.0.12.

All of these security problems can be traced back to how the Web browser engine behind both Firefox and Thunderbird, Gecko, handles JavaScript. Or, to be more exact, the core problem lies in how this layout engine mishandles JavaScript.

The brute-force solution is simply to make sure that JavaScript is never enabled in Thunderbird. Unlike in Web browsers, where disabling JavaScript is far more serious in that it also disables some JavaScript-dependent Web sites, there's seldom any call for using JavaScript with HTML-formatted e-mail messages.

Still, it is upsetting that Mozilla reports that these problems have been fixed in a version of Thunderbird that doesn't exist. The latest version of Thunderbird is 2.0.0.9.

DesktopLinux.com tried to reach the Mozilla Foundation Feb. 8 for an explanation, but, as of the afternoon of Feb. 11, the Foundation had not replied.

There has long been concern that Thunderbird was not a real priority for Mozilla. In September 2007, Mozilla announced that it was spinning Thunderbird off into a company of its own: MailCo. Only weeks later, Scott McGregor, one of Thunderbird's two key developers, left Mozilla. This reignited Thunderbird users' fears that Mozilla was not so much moving Thunderbird out as throwing it out.

Since that time, MailCo has still not left the launch pad. Dr. David Ascher, formerly chief technology officer and vice president of engineering for ActiveState, and a director of the Python Software Foundation, is heading the effort to found the company. On his blog, Ascher reported that as of Jan. 15, Dan Mosedale, once he's done with his work on the forthcoming Firefox 3, will be helping to get MailCo off the ground.

It appears, though, based on the postings in the blog, that MailCo is still months away from opening its doors. In the meantime, there appears to be little work being done on Thunderbird despite these misleading messages indicating that security fixes are still being delivered to the popular open-source e-mail client.


-- Steven J. Vaughan-Nichols


Do you have comments on this story?

Talkback here

NOTE: Please post your comments regarding our articles using the above link. Be sure to use this article's title as the "Subject" in your posts. Before you create a new thread, please check to see if a discussion thread is already running on the article you plan to comment on. Thanks!


Related Stories:

(Click here for further information)

Approaching the Linux Desktop
The purpose of this paper is to help organizations evaluate the Linux desktop against their own enterprise needs and discover what benefits the Linux desktop might bring to their organizations.

Migrating To Linux: Application Challenges and Solutions
Several solutions exist to help organizations migrate in an orderly fashion from Windows to Linux desktops. This paper establishes the characteristics of an ideal cross-platform solution and reviews these alternatives in light of this ideal standard. The paper takes a closer look at the pros and cons of various solutions and outlines the business benefits that can be achieved.

Linux Advantages: Publicly Available Information on Linux Software
This paper offers a brief summary of readily-available Linux information to help businesses sort out this widely misunderstood operating system.

Top 5 Strategies for Managing Linux
Despite continuous evolution in the manageability of Linux, a 2006 survey cited manageability concerns as a top reason why organizations are hesitating to adopt Linux. Levanta believes Linux can be as manageable, if not more so, than other operating systems by following key strategies. These strategic recommendations were developed from experiences in numerous customer environments, both large and small.

Why Choose Novell for Linux?
This paper outlines the benefits of switching to the Linux platform and choosing Novell as a high-performance, enterprise solution.

Enterprise Linux Selection Guide
Considering moving your enterprise to the Linux operating system? Since there are so many similar versions, choosing the right one can be tough. This paper offers a clear process to help you make an informed decision and get the features, support, and cost that are right for your business and technical needs.

Overcoming Challenges in Managing Linux
Levanta has created a new administration model with innovative technology that breaks down the barriers to making the most of Linux systems. This paper will provide an in-depth look at the workings of Levanta’s product, the first Linux appliance of its kind.

SUSE Linux Enterprise 10 for Retail Businesses
Discover why major retailers have switched to SUSE Linux Enterprise Desktop in the back office. SUSE Linux Enterprise Desktop 10 is a low-cost desktop that offers a complete set of productivity applications and interoperates seamlessly with the other Windows, Macintosh and UNIX desktops in your store.

Moving to a Linux Desktop
Migrating from Windows to Linux on the desktop can be a substantial undertaking because it has the potential for touching -- and perhaps disrupting -- every user in your organization. Unlike a data center (server and infrastructure) migration that is largely transparent to users, the cultural and administrative transitions and environment readiness required to support a Linux desktop migration are extensive.

Seven Good Reasons to Exchange Exchange
This paper describes seven compelling reasons why you should switch from Exchange to Scalix.

 

Got a HOT tip?   please tell us!
ADVERTISEMENT
(Advertise here)
Popular recent stories:
• Lightweight GNOME alternative emerges
• Linux gains action RPG
• World's cheapest Linux-based laptop?
• WiFi software arrives on Linux desktops
• BeOS-like distro focused on content creation
• Graphics board vendor touts faster Linux drivers
• Linux mini-PC takes two Watts to tango
• Hats off to Fedora 9
• Debian looks to launch lenny in Sept.
All-time Classics:
• Choosing a desktop Linux distro
• Banshee -- the next best thing to Linux iTunes
• The Best Free Desktop Linux . . . and how to make it better
• Running World of Warcraft on Ubuntu
• Linux-powered Asus Eee PC mini-laptop arrives
• A simple Linux backup method
• The well-tempered Debian desktop
• What's the best Linux for beginners?
• VirtualBox: The best virtualization program you've never heard of
• Getting to know Puppy Linux
• Xandros 4: The best desktop Linux for Windows users

Desktop Linux books
Join our Desktop Linux discussion forums:
 •  Moving to Linux
•  Linux/Windows debate!
•  Linux Q&A
. . . and more
BREAKING NEWS

• Summit debuts for Linux end users
• "UbuntuLite" reviewed
• Linux in the SME
• Linux: not yet photo-friendly
• Linux to gain anti-virus software
• Linux gains backup utility
• Testing Lenny
• HP offers Linux on low-end mini-notes
• Dell shipping five Hardy Heron systems
• IBM pushes "Microsoft-free" desktops
• Unified communications groupware comes to Linux
• Lightweight GNOME alternative emerges
• Freespire lives! Goes back to Debian
• gOS 3.0 goes Gadget crazy
• WiFi software arrives on Linux desktops

Linux-Watch headlines:
• Linux -- not yet photo-friendly
• Microsoft buys additional Linux support
• SFLC publishes GPL compliance guide
• Linux switch vendor sued over GPL
• Judge Kimball rules -- the sequel!
• Microsoft tactics push India toward Linux
• Bell, SuperMicro sued over GPL
• "Business intelligence" software goes GPL
• Will Atom bomb?
• LF Summit videos posted
Visit the...

news feed
Home  |  News  |  Articles  |  Forum  |  Polls  |  About  |  Contact
 

Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
Tech RSS Feeds | White Papers | ROI Calculators | Tech Podcasts | Tech Video | VARs | Channel News

Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
Publish | Security IT Hub | Strategic Partner | Web Buyer's Guide | Windows for Devices

Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

Use of this site is governed by our Terms of Service and Privacy Policy. Except where otherwise specified, the contents of this site are copyright © 1999-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise is prohibited. Linux is a registered trademark of Linus Torvalds. All other marks are the property of their respective owners.