Thunderbird 78.x: Upgrade to version 91, and foreseeable problems

[German]The developers of the Thunderbird email client want to slowly start migrating Thunderbird 78.x users to the new Thunderbird 91.x development branch. In Thunderbird 91, however, users should be prepared for problems or inconsistencies. In addition, the developers probably do not manage for six years to check add-ons in the user profile for legitimacy. Here a small overview to this topic.


Advertising

Migration from 78.x to Thunderbird 91 starts soon

The development branch 78 of Thunderbird will end soon – because with Thunderbird 78.15.0 the development ends (Tom pointed it out here). Currently we are at Thunderbird 78.14.0 (see Thunderbird 78.14.0), but there is already the Thunderbird 91 development branch (see Thunderbird 91.2.0).

At Bleeping Computer I found the following: As of October 5, 2021, 85% of Thunderbird users were using client version 78, and only 9% had manually upgraded to 91.

So far, Thunderbird 78.x users have not been upgraded to version 91 when checking for updates. I myself am still on version 78.x and an update search does not yet offer Thunderbird 91 after. But both ghacks.net and Bleeping Computer reported a few days ago that the change to version 91 is done via update – probably runs in waves.

What you should know / consider

In the last days and weeks I have received various information about Thunderbird from blog readers, which I would like to include in this article and post on the blog.

Thunderbird 78: Update to 91 enables JavaScript via PDF reader!

German blog reader Patrick already contacted me on September 23, 2021 and pointed out a change that occurs when upgrading from Thunderbird 78.x to version 91.x.

Hello Günter,

as was already to be expected, the update of Thunderbird to version 91, which has now started, also makes the new, integrated JavaScript reader available within the application.

With the PDF function is activated in Thunderbird at the same time JavaScript for the documents, which has actually not been the case within e-mails so far for security reasons and in the mode "text only" can certainly not be desirable.

Both PDF scripting (pdfjs.enableScritping = false) and the PDF reader (pdfjs.disabled = true) can be disabled via the Config Editor.

Maybe keep in mind to disable JavaScript after the change in Thunderbird 91.x. Thanks to Patrick for the hint.


Advertising

Thunderbird Data-Reporting

German blog reader Z.A. contacted me by email on 9/26/2021 and pointed out that Thunderbird also used data reporting (telemetry). In the following text he refers to my blog post Does Firefox 89/90 pull data again? in which I discuss the topic telemetry and user data extinction by Firefox. Z.A. wrote that this is also the case with Thunderbird..

Hello Mr. Born,

some time ago you had raised the issue of data reporting in Firefox. Blog readers had contributed measures how to prevent the reporting. I just found out today that the archive folder (found in the profile) is also created in Thunderbird and is filled with data.

If anyone is interested here is a suggestion to turn off Datareporting on TB (I use 78).

All via Settings – General – Edit configuration (at the bottom).

Disable Mozilla Telemetry

browser.send_pings = false
browser.send_pings.max_per_link = 0
toolkit.telemetry.enabled = false
toolkit.telemetry.unified = false

Thunderbird contacts Mozilla daily and sends an accurate list of installed add-ons

extensions.getAddons.cache.enabled = false

disable beacons: beacon.enabled = false
disable timing APIs : dom.enable_resource_timing = false

Maybe it helps you – thanks to blog reader Z.A. for the hint.

Signature problems with Outlook?

German blog reader Headster has responded to my blog post Thunderbird 91.2.0 with a comment pointing out a problem with Thunderbird 91.x in conjunction with signed emails and Microsoft Outlook. He writes (translated from German):

Hi all, I noticed a bug a few days ago – at least I suspect it's a bug – that I've only been experiencing since upgrading to the 91.x branch:

I sign outgoing emails with S/MIME. Thunderbird evaluates the signature as valid, Outlook 365 on the other hand complains that the message has been tampered with; in the details you can see that Outlook assumes that the message may have been changed after signing.

When I noticed this by chance the other days, I took a closer look and found out the following points:

  • Occurs only since switching from the 78.x to the 91.x branch (certificate and settings regarding S/MIME have not been changed in the meantime)
  • Occurs under Windows, macOS and Linux
  • Occurs only if mails are formatted as HTML – Outlook does not complain with text-only messages!
  • Thunderbird itself always finds all mails (HTML + text only) as correctly signed.

Of course it could be a bug in Outlook 365, but the error did not occur with mails that were still signed with Thunderbird 78.x, as I said.

Can anyone confirm this or know a workaround? I have found little useful on the net so far.

The comment got a bit bogged down and there was no feedback. If anyone can confirm, that would be helpful. Thanks to Headster for pointing this out.

S/Mime-Bug under Windows

German blog reader Mark Heitbrink pointed out, that S/Mime only works with Thunderbird certificate store. With Microsoft certificate store signing/encrypting with S/Mime fails. There is a bug report, but it is already closed. However, the bug is still present according to Mark.

Security issue since 6 years

Stefan Kanthak emailed me the other day to point out an unsightly thing affecting Firefox and Thunderbird. Since six years there was a vulnerability in Firefox/Thunderbird, which allows to overwrite add-ons in the profile. This could be abused to execute arbitrary code by an attacker replacing the add-ons in the user profile. Six years ago, this bug submission was made to Firefox 31. A week ago, this bug report was marked as "closed" because the Thunderbird calendar is now no longer an add-on – but the problem has not been fixed yet.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *