* on the Mon, Jan 27, 2014 at 10:56:17AM -0800, Al Billings wrote: > Yes but you have to choose to view the original html or it doesn't do > anything. So, by default, users will not be automatically exploited. > They have to get a bad email and then choose menu options for that one > email to then be able to click on a link which then might have content The above statement is all wrong. Thunderbird by default displays emails as original HTML. Only when you install TorBirdy does that change. > This is why it was considered a "moderate" security issue. No, I don't believe that played any part in the classification. > It isn't a drive by exploit where you send mail to people and then > something happens to them. They have to actively cooperate to be > exploited. It requires the user to receive an email, and then click a link in that email. This is not unusual behaviour. > It is a bug, yes, but it isn???t as bad as was being painted the other day here. It is a horrible bug for Tor users who are using Thunderbird without TorBirdy. To clarify, at no point did I state that TorBirdy users were affected. I brought up the issue here exactly so that those sorts of issues could be investigated. I suggest if you are going to make any further statements about the way the bug works, you replicate it first. The bug report is now public. Somebody has submitted a patch, but they've also suggested that there may be similar bugs in the MathML code waiting to be found. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk