LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Some mailer difficulties

[Posted March 1, 2006 by corbet]

Thunderbird users generally take some comfort from the fact that their mail client can be configured to refuse to load external images which might be called for in HTML mail. The loading of such images is, at a minimum, a privacy problem - it lets somebody know that a given message has been read. Remote images can be used to note the times that messages are read, or to judge the effectiveness of spam delivery. So turning off this "feature" makes a lot of sense.

Unfortunately, it turns out that Thunderbird 1.5 does not block all external loads, even when image loading is turned off. In particular, it seems that <iframe> tags can be used to force remote loads to happen. Thunderbird can also be made to request style sheets from remote sites. Either of those operations will, once again, disclose that the message was read, along with the usual ancillary information such as the user's IP address.

It has been pointed out that at least one company is exploiting this Thunderbird "feature" already. The message describing the exploit also has a temporary workaround for those who don't want to wait for an official fix; it works by setting restrictive limits on the allowed HTML tags - which seems like a good idea in any case.

Alan Cox, meanwhile, has found a problem with evolution. If it receives a sufficiently large message with enough links in it, it will grow to vast size and think for a long time. On a large enough system, with enough time, it will succeed in rendering the message; on smaller systems, it will run out of memory and crash. And, if that weren't enough:

Worse, and the reason this becomes more than irritating is that evolution tries to be smart when it is killed or dies. On restarting it will go to great trouble to attempt to restart in the same position it died or was shut down - which triggers the DoS again each time evolution is opened.

Alan reported the problem in January, and has been dismayed to see that no fixes or advisories have been issued so far. So he has disclosed the vulnerability, presumably with the idea of inspiring some effort to get it fixed. We'll see if it works.

(Log in to post comments)

proxying is good

Posted Mar 3, 2006 8:15 UTC (Fri) by sitaram (subscriber, #5959) [Link]

At work, where I am behind a proxy, I used to not configure the correct proxy settings in TB, so I would never have to bother about this. But now I have started using the RSS Feeds feature I'm exposed again -- maybe I should rethink my RSS feeds strategy.

By the way, even if you have a plain static IP, and no proxy server, this can still work. Just tell TB you do have a proxy at 127.0.0.1 and some non-existant port, and that should be that!

Thunderbird loads remote images when you PRINT

Posted Mar 12, 2006 0:21 UTC (Sun) by endecotp (guest, #36428) [Link]

Thunderbird will unconditionally load the images in an HTML email when you print it. See https://bugzilla.mozilla.org/show_bug.cgi?id=219250 - the bug was filed in September 2003 and isn't classified as a security issue as far as I can see.

I found out about this when I wanted to file a Spam complaint; I had started to get spam from an identifiable UK-based company and was preparing a written complaint form to send to the Information Commissionner's Office. As the email came out of the printer, I couldn't believe that it had actually loaded the images.

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds