Thunderbird gets its EFAIL patch Thunderbird has pushed code with fixes for a dozen security vulnerabilities – including the EFAIL encryption mess that emerged in May. The EFAIL-specific fixes address two errors in Thunderbird's handling of encrypted messages: CVE-2018-12372, in which an attacker can build S/MIME and PGP decryption oracles in HTML messages; …
There was no mention of Office in the article... :-S But, generally, it is probably more secure, because it does less (KISS).
The problem you mention is the execution of control panel shortcuts within Thunderbird on Windows. The problem, among other things, is the <DEEPLINK> tag. If a manipulated attachment on an email in Thunderbird is opened, it can execute the embedded patch to an executable.
This is a problem with the .SettingContent-ms specification and will affect any application that allows these settings files to be executed. They are designed to be used locally, to open direct control panel elements, it seems it wasn't envisioned that they would be manipulated and sent per e-mail or downloaded from malicious websites. The same old story, a useful tool, where the developers didn't think far enough, when it comes to security.
This is a Windows 10 problem, bu it affects any application that allows the files to be opened or executed.
You don't need to explain it to me, I read the link given in the article, which is where the mention of Office was.
And in that linked page we find that MS decided it wasn't worth updating Office to filter out this filetype (see text I quoted from the linked page above). I guess they will when the exploits roll in... indicating MS is following the Adobe whack-a-mole method of bug fixing and Thunderbird, with much more limited resources, is more proactive.
I was forced by MS to shift to Thunderbird when they killed off hotmail/livemail support, and I must say that it has been ALWAYS an unpleasant experience. Yes, it works, to a fashion (if MS servers don't refuse connection, which is MS issue of course), but other than that - the interface is clunky, user-unfriendly, settings are all over the place. Judging by developers' (?) replies to comments about it (why do you find it hard, WE FIND IT EASY), it's the usual problem of mis-matching viewpoint.
And then, over the last two years, they haven't bothered to fix the bug (a "feature", I'm sure!), which had been reported a couple of years prior to that, i.e. every odd time (yes, ODD TIME) it shows the spam-ad for thunderbird in the message preview window. Yes, I DO know how to turn it off, it does not work. Or rather, sometimes it does, sometimes it does not, no rhyme or rhythm. I can live with it, sure, but it's like that stitching in your shoe, that makes you remember (not in a good way), every time to go take a walk.
And yet, the magic of free...
We use it all the time and it works pretty well.
However, from personal experience I completely agree with this
"Judging by developers' (?) replies to comments about it (why do you find it hard, WE FIND IT EASY)"
Their attitude is frequently pompous and arrogant with a 'lalala' fingers in ears, not listening attitude. That sucks big style. You start by wanting to try and help, and end up walking away.
I'm sure that whatever they produce it will be a pile of spaghetti which they'll think is great, no matter how much criticism they get.
Ah well. Still prefer it to drinking the M$ Koolaid. It could just be so much better.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
