Gecko vs Goanna for Thunderbird Independence

Ben Bucksch ben.bucksch at
Mon Apr 17 14:12:14 UTC 2017

Gervase Markham wrote on 17.04.2017 16:03:
> On 13/04/17 23:11, Ben Bucksch wrote:
>> there were no less than 250 known critical *1 security holes and 600
>> memory corruption bugs that might be exploitable. One critical security
>> is already a very serious risk.
> How many of those are exploitable if JS is switched off?

I've recently looked through the list, and about 50-60% are dependent on 
JS, another 15-20% are in the video/audio decoders (HTML5 <video>), but 
a good part, maybe 1/3 or so, are in other code parts and Thunderbird 
without JS and without video would still be vulnerable.

Worse yet, the above numbers do not count memory corruption bugs (i.e. 
buffer overflows, use-after-free and similar serious badness) that are 
potentially exploitable, and could also affect Thunderbird. There are so 
many of them, usually about 10-20 per 6-week release cycle, that we 
don't have more information about them, but they are still potentially 

So, the answer is much worse than I thought: Turning off JS and video 
helps a lot, but even if they are turned off, that still leaves a huge 
amount of security holes. We have a lot of low level holes, unfortunately.


More information about the tb-planning mailing list