SillyDog701

[J-M]

Secunia reported from a new "Mozilla / Thunderbird Valid Email Address Enumeration Weakness", the whole advisory is located here http://secunia.com/advisories/13086/ .
It was classified to Not critical.

From Secunia:
"The weakness is caused due to an improper behaviour where references to external stylesheets in HTML documents are followed. This can be exploited to validate the existence of an mail address when a malicious mail is opened."

Can anyone confirm, is this something like a web bug issue, I think this is not a Mozilla's/Thunderbird's "reason" from this point of view. Web bugs are a good reason to use plain text mode in any case. Using HTML support in any e-mail client is not secure. Of course, this have to fix in Mozilla code.
Mozilla Security Team was informed now too.

There is a workaround. HTML support can be disabled, Secunia company giving an exact menu selection too, View / Message Body As / Plain Text.

- Juha-Matti

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040919 Firefox/0.10.1

[Fulvio]

I agree with you. I wondered if setting to View as Simple HTML may work ok.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1

[akbash]

Secunia are really stretching, classifying this as a "weakness." And calling it "improper behaviour" is just ignorant. In my opinion. They must be under their quota for security issues this month. Cripes, it's just a feature of HTML.

By design there's very little in an HTML document that can't be sourced remotely. Heck the entire document can come from an external server. Or just pieces of it, like stylesheets. And of course anything like that can be used with a little effort to track whether an individual email account has been used to display a message.

Thunderbird doesn't use these stylesheets if you display messages as either plaintext or simple HTML. Just to be certain, I just sent HTML mail to myself containing references to external stylesheets, read it with my own Thunderbird client, and checked the server's access logs. Thunderbird didn't ask the server for the stylesheets in either Plain Text or Simple HTML mode; it asked only when I flipped to Original HTML.

I'm pretty sure Thunderbird ignores any reference to externally sourced pieces of email in Simple HTML mode. To avoid being tracked by spammers, you really do need to read unvetted mail in nothing higher than Simple HTML, and I think you're safe if you do that. Personally I also turn off loading of remote images 'cause I figure two is better than one.

Secunia got it mostly right. They're a reasonably valuable resource, but they don't seem to do much investigation of their own.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2

[Ramona]

Thank you akbash! I just finished quoting you on another Forum, as a user was concerned about using Firefox, or Mozilla, and had just uninstalled Netscape 7.2 because of Security vulnerabilities.

These Secunia Advisories are warnings, they are posted for information only, it is really up to the user to decide whether or not to trust their browser, or to start asking questions of those qualified to answer. I think your reply should set everyone's mind at rest.

Ramona

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1

[J-M]

Secunia has updated the advisory and a fix is available in the CVS repository now.
See https://bugzilla.mozilla.org/show_bug.cgi?id=28327

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041026 Firefox/1.0RC1

[Fulvio]

FYI, I don't even bother openings anything suspicious, but I check View|Message Source from the header, and it tells me all I want. This is quite safe. I started doing this with the periodic e-mails with no subiect nor sender., no text. I am not sure what they are, but there is a funky header, and that's it.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[akbash]

An update:

There are multiple ways to restrict Mozilla from reading external content linked from an email message. The one I use in Thunderbird is View Message Body As Simple HTML. The Secunia advisory -- you know they should mention things like this in their advisories -- concerns the other way.

In Thunderbird the option to "block loading of remote images" did only that until last September, when it was extended to cover (almost) everything else. (The text in the options dialog still reads the same, promising to block only images.) Personally I've always relied on Simple HTML but in recent Thunderbird builds it really looks like you can browse in Original HTML and avoid acknowledging any likely webbug in your mail. This applies only to Thunderbird 0.9 and later by the way. It doesn't apply to Mozilla 1.7.3 or Netscape 7.2.

So Secunia seem to be advising that when you configure a Mozilla mail client to not load remote images in messages but take no other steps to ensure your privacy, it will still load stylesheets. Imagine that. There was no mention of other remotable items and, by the way, this is no longer true in Thunderbird.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041104 Firefox/1.0RC2

[Alice]

This issue allows the spammer to verify your e-mail address. This is nothing new... spammers can also verify your e-mail address by embedding a link to a remote image in HTML spam e-mails, except that you can prevent by checking "do not load remote images in mail and Newsgroup messages" in the Mozilla and Netscape 7.x Privacy > Images preferences.

Bottom line: this exploit allows spammers to verify your e-mail address with the end result being that your e-mail address may get more junk mail.

Here is a link from the bugzilla report referenced by J-M:
http://www.derkeiler.com/Mailing-Lists/ ... /0118.html
Full-Disclosure] CSS in E-Mails possible E-Mail-Validity Check for Spammers?

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910