Why we need Gecko updates
jcranmer at tjhsst.edu
Thu Dec 10 18:49:39 UTC 2015
On 12/8/2015 6:40 PM, Ben Bucksch wrote:
> In Thunderbird, the risk is even larger than in Firefox. In Firefox,
> you need to actively go to a website, and that website needs to attack
> you (possibly via an ad server). We still assume that an attacker will
> manage to get you to his website somehow, and we consider such a
> critical bug the end of the computing world. In Thunderbird, the
> attacker has it even easier: He just needs to send you an HTML email.
> You view it, and you're done. Dead.
I think you're wrong here. It is probably about two to three orders of
magnitude harder to deliver an exploit to an email client than it is a
web browser. Much web traffic remains in HTTP, which permits MITM
attacks, and ad servers are a great way to feed malware to users
(particularly pernicious are ads on freeware download sites--just mimic
a download button, you're virtually guaranteed a good click-through
rate). Also, web browsers willingly send their identities to the
servers, making it trivial to target malware specific to the user's
machine. By contrast, email requires guessing a user's email address,
guessing their client, and passing anti-spam and anti-virus. It's easier
to phish the user into opening a malware attachment than it is to
correctly guess which client is being used to target it specifically,
and it's certainly a better use of limited email throughput (high-volume
email outflow tends to get quickly binned as spam).
That's not to say that email is immune to risk--if I wanted to
specifically target someone, I'd probably try via email instead of a web
> * JS is disabled by default
> * "View | Message body as | Simple HTML", which tries to prevent most
> security holes with HTML.
> Neither is bullet-proof and some classes of bugs, e.g. in the parser,
> or image decoders or - worse - in the complex native video codecs, are
> still going to hit you with their full force.
Mozilla actively fuzzes JS and all of its input formats (HTTP, HTML,
CSS, multimedia codecs), and I've gotten the sense that the security
team badly wants the codecs in particular moved to Rust, which would
drastically reduce the scope and likelihood of exploitable security
bugs. So I reckon the riskiest and most vulnerable code in Thunderbird
is not in mozilla-central, but comm-central. Our protocol client
implementations are almost certainly insecure against hostile server
implementations, and some of our MIME and mbox code is rife with mixed
NUL-terminated/non-NUL-terminated strings, which is a recipe for
security bugs. Unlike Firefox, we're not mitigating these risks by
fuzzing them to any degree. I would not be surprised if there were an
exploitable security bug that could be used against every version of
Thunderbird from the first working public CVS build to the current
tip-of-trunk; the same I would not say for Firefox.
Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald E. Knuth
More information about the tb-planning