A recent security audit of the email client Thunderbird and the encryption extension Enigmail revealed unpatched security issues in the email program and in Enigmail.

The report has not been released yet as issues are not yet patched in the Thunderbird program. The researchers found 22 vulnerabilities in total in both programs; three of the vulnerabilities received a critical rating, five a rating of high.

Update: Thunderbird 52.5.2 fixes the vulnerabilities.

Some results of the audit were posted on the Posteo blog. All issues that the researchers found in Enigmail have been fixed already in Enigmail 1.9.9 which users can download from the official project website.

"This version addresses a number of security vulnerabilities discovered by Cure53 during an audit of Thunderbird with Enigmail. The audit report covers both Thunderbird and Enigmail. As some vulnerabilities are still unfixed on the side of Thunderbird, we currently only publish an excerpt of the report with the issues found in Enigmail."

The report has not been published in its entirety yet, but Posteo has some insights for Thunderbird users to reduce the risk of running into exploits.

The following recommendations have been posted:

  • Thunderbird should be updated to the latest version as soon as it is released.
  • Users should not use RSS feeds in Thunderbird. The researches found critical issues in the handling of RSS feeds that can reveal the "entire communication" and "other sensitive data".
  • Don't use add-ons. If you have to use add-ons, only use verified add-ons.

If you use Thunderbird to read RSS feeds, then you may want to consider disabling the functionality for the time being until a patch is released. Posteo notes however that it may take until Thunderbird 59 which won't be out for months.

Here is how you turn off the functionality for now:

  • Locate the "Blogs & News Feed" listing in the Thunderbird sidebar.
  • Right-click on it, and select Settings.
  • You have two options now:
  • a. Select Account Actions, and select "Remove Account". This removes all feeds and the feed account from Thunderbird. Note that you cannot restore it afterwards anymore.
  • b. Remove the checkmark from "check for new articles at startup" and "check for new articles every x minutes". This keeps the RSS feeds, but won't retrieve new ones on startup or automatically.

The second option may be less secure. I cannot say for sure as the vulnerability has not been revealed yet. If you want to make sure, delete the feed account in Thunderbird. You can make a backup first to restore the account after the update has been released.