Why we need Gecko updates

Joshua Cranmer jcranmer at tjhsst.edu
Thu Dec 10 18:49:39 UTC 2015

On 12/8/2015 6:40 PM, Ben Bucksch wrote:
> In Thunderbird, the risk is even larger than in Firefox. In Firefox, 
> you need to actively go to a website, and that website needs to attack 
> you (possibly via an ad server). We still assume that an attacker will 
> manage to get you to his website somehow, and we consider such a 
> critical bug the end of the computing world. In Thunderbird, the 
> attacker has it even easier: He just needs to send you an HTML email. 
> You view it, and you're done. Dead.

I think you're wrong here. It is probably about two to three orders of 
magnitude harder to deliver an exploit to an email client than it is a 
web browser. Much web traffic remains in HTTP, which permits MITM 
attacks, and ad servers are a great way to feed malware to users 
(particularly pernicious are ads on freeware download sites--just mimic 
a download button, you're virtually guaranteed a good click-through 
rate). Also, web browsers willingly send their identities to the 
servers, making it trivial to target malware specific to the user's 
machine. By contrast, email requires guessing a user's email address, 
guessing their client, and passing anti-spam and anti-virus. It's easier 
to phish the user into opening a malware attachment than it is to 
correctly guess which client is being used to target it specifically, 
and it's certainly a better use of limited email throughput (high-volume 
email outflow tends to get quickly binned as spam).

That's not to say that email is immune to risk--if I wanted to 
specifically target someone, I'd probably try via email instead of a web 
> Mitigation:
> * JS is disabled by default
> * "View | Message body as | Simple HTML", which tries to prevent most 
> security holes with HTML.
> Neither is bullet-proof and some classes of bugs, e.g. in the parser, 
> or image decoders or - worse - in the complex native video codecs, are 
> still going to hit you with their full force.

Mozilla actively fuzzes JS and all of its input formats (HTTP, HTML, 
CSS, multimedia codecs), and I've gotten the sense that the security 
team badly wants the codecs in particular moved to Rust, which would 
drastically reduce the scope and likelihood of exploitable security 
bugs. So I reckon the riskiest and most vulnerable code in Thunderbird 
is not in mozilla-central, but comm-central. Our protocol client 
implementations are almost certainly insecure against hostile server 
implementations, and some of our MIME and mbox code is rife with mixed 
NUL-terminated/non-NUL-terminated strings, which is a recipe for 
security bugs. Unlike Firefox, we're not mitigating these risks by 
fuzzing them to any degree. I would not be surprised if there were an 
exploitable security bug that could be used against every version of 
Thunderbird from the first working public CVS build to the current 
tip-of-trunk; the same I would not say for Firefox.

Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth

More information about the tb-planning mailing list