Thunderbird vs Microsoft- Software Security In General

I read a comment here about Thunderbird being a more secure email solution than Windows Mail, and since I couldn't post to it, I decided to make another thread.

Original thread:
http://www.windowsbbs.com/firefox-thunderbird-seamonkey/69999-export-tbird-msgs-windows-mail.html


Although saying that Thunderbird is more secure than Windows Mail may be inherently true, the statement made is false. Thunderbird is actually pretty insecure when it comes to security vulnerabilities-- as seen in the threads posted on vulnerabilities posted on Secunia (fixed in an "upcoming" version).

When Mozilla releases their security advisories for flaws in Firefox, they will typically state what versions of Firefox, SeaMonkey, and Thunderbird are affected, but little do people realize that an update for every application (usually Thunderbird) is not available; this means your "secure" application is left open for attack until Mozilla decides they want to take the time to patch the flaws. It could take 2 weeks for Mozilla to release an update for Thunderbird-- I've seen cases where it has taken longer.

Although Microsoft products are often considered insecure by open source projects, people need to think about WHY their products are considered to be so "insecure "; what it has to do with is exposure, and by exposure I am not necessarily saying publicity.

Attackers will attempt to exploit the most common system configurations and pre-installed software (i.e. Internet Explorer, Windows Media Player, Windows Mail). Think of it as a shotgun blast, attackers will try to hit as many systems they can; which just so happen to be those with Microsoft products. But don't forget, Mozilla now is so widely used, ( "exposed "), that attackers will also look to exploit flaws in Firefox and Thunderbird.

Just because you aren't using a Microsoft product, doesn't mean you are safe and secure-- you actually put yourself at as much, if not more risk, because you are using a piece of software that is open-source; which means that attackers can analyze flaws and develop exploits without using advanced reverse engineering tools.

So saying Mozilla is more secure is false. Saying Microsoft is more secure is also false. Neither are secure, so you put your trust in how fast either will release a patch for a flaw and if they offer any ways to deter attacks if a patch cannot be released. To me, a potential 2 week turnaround for an email client I would use everyday is not acceptable.

Microsoft has since come out of the dark ages by notifying security professionals and has been quite successful in offering workarounds for security flaws. The responsible disclosure process at MS seems decent as well, but can't say a lot of positive on their turnaround time either-- at least the disclosure of the vulnerability is typically NOT public, but the same goes for Mozilla.

I personally am wary about using Thunderbird for the reason that Mozilla could take anywhere from a week or longer to release patches for flaws that have been fixed in their other products (such as Firefox). So what it boils down to is a catch 22 and this is where a good security protection suite is needed. I've been raving about one product, maybe you'll see a post or two in the malware/general security forums about it.

 

Indeed, vulnerabilities do exist, and it may take a while for Mozilla to issue a safe update, but it is a better situation than with Microsoft software, when updates may come out monthly, if so, at all. Only leaving the computer turned off is secure.

 

It's been my experience that there remains an opinion by many users, that many open source apps are more secure due to the fact they aren't affected by many of the infections which affect MS apps, IE and mail in particular. The reality is that they are not necessairly more secure, but less targeted for attack. Malware authors try to affect the most number of users with their code, and since the majority of users have in the past been using MS based apps, they have not had good reason to bother with writing code that targets anything else. There is now a large enough user base of Firefox for example, that they are increasingly adding code to target FF, and it is easily exploited.

As seen last month, if MS deems an exploit as high risk, it will isssue an update out of monthly cycle. I use MS based apps, and I'm at ease leaving my computer turned on.