Thunderbird users generally take some comfort from the fact that their mail
client can be configured to refuse to load external images which might be
called for in HTML mail. The loading of such images is, at a minimum, a
privacy problem - it lets somebody know that a given message has been
read. Remote images can be used to note the times that messages are read,
or to judge the effectiveness of spam delivery. So turning off this
"feature" makes a lot of sense.
Unfortunately, it turns out that Thunderbird 1.5 does not block all external loads, even when
image loading is turned off. In particular, it seems that
<iframe> tags can be used to force remote loads to happen.
Thunderbird can also be made to request style sheets from remote sites.
Either of those operations will, once again, disclose that the message was
read, along with the usual ancillary information such as the user's IP
It has been pointed out that at least one company is exploiting this Thunderbird "feature"
already. The message describing the exploit also has a temporary
workaround for those who don't want to wait for an official fix; it works
by setting restrictive limits on the allowed HTML tags - which seems like a
good idea in any case.
Alan Cox, meanwhile, has found a problem with
evolution. If it receives a sufficiently large message with enough
links in it, it will grow to vast size and think for a long time. On a
large enough system, with enough time, it will succeed in rendering the
message; on smaller systems, it will run out of memory and crash. And, if
that weren't enough:
Worse, and the reason this becomes more than irritating is that evolution
tries to be smart when it is killed or dies. On restarting it will go to
great trouble to attempt to restart in the same position it died or was shut
down - which triggers the DoS again each time evolution is opened.
Alan reported the problem in January, and has been dismayed to see that no
fixes or advisories have been issued so far. So he has disclosed the
vulnerability, presumably with the idea of inspiring some effort to get it
fixed. We'll see if it works.
to post comments)