Closed Bug 511822 Opened 15 years ago Closed 15 years ago

Software claiming Thunderbird update auto-installed even tho options set to "ask me first"

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 511821

People

(Reporter: jrbiz, Unassigned)

Details

(Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: Thunderbird version 2.0.0.23 (20090812) (copied from About window)

I have my options on Thunderbird 2.0.0.23 set to "check for updates" but to "ask me first" when they are found instead of auto-installing. At approximately 1 AM EST today (Aug 21, 2009),I had Thunderbird open and suddenly a pop-up window appeared and said "downloading and installing update" a few seconds later it said "updates indstalled" Neither window identified what was being downloaded. Not only was my Thunderbird installation already updated, but I have my options set to "ask me first" before installing *any* update -- this option isis set true for all my software, including Firefox, Thunderbird AND any Windows updates.

Was this a genuine update or something else? Either way, why did was my instruction to "ask me first" ignored? I also have current updated versions of AVG anti-virus and Spybot programs running and received no warnings from them when this happened.

Reproducible: Didn't try

Steps to Reproduce:
1. not a reproduceable event - apparent security breach
2.
3.



If a genuine update, because I have options set to "ask me first" rather than auto-install, Thunderbird should have "asked me first" if I wanted to install. If not a genuine update, shouldn't the options setting have prevented the auto-install anyway? 

I also have current updated versions of AVG anti-virus and Spybot programs running and received no warnings from them when this happened.
I should mention I have been running Thunderbird for almost 2 years and this is the first time my option setting to "ask me first" has been ignored/overridden.
We did just release Thunderbird 2.0.0.23 today so the update is an expected one. I don't know why you didn't get asked first, but even in the default "not asking" mode it would still normally pop up a dialog before installing the update (it downloads without asking, then asks if you want to install it now or later).

Is it possible you were typing at the time the "ask" dialog popped up, and then one of your next keystrokes activated the update button? I don't believe that dialog has a security delay before the buttons become active (because it's not a dialog an evil website could cause to appear at inopportune times). If you agree that's likely we can probably make this bug a duplicate of one of the update service improvements that have gone into Firefox 3.0 and 3.5 which Thunderbird 3.0 will inherit (you can try the beta 3 if you like: http://www.mozillamessaging.com/en-US/about/press/archive/2009-07-21-01 ).

If you weren't typing at all then I'm stumped and concerned.

Since you're running Windows it's fairly easy to double-check that the binaries are the ones we built. Using Windows Explorer open the Thunderbird install directory (typically "C:\Program Files\Mozilla Thunderbird"), select thunderbird.exe, right-click and open the Properties dialog. You should see a Digital Signatures tab, and the file should be signed by "Mozilla Corporation". If you dig into the details the certificate should be issued by Thawte Code Signing CA. All of our .exe and .dll files should be signed except for softokn3.dll and freebl3.dll (don't ask, long story involving the .chk files also present for those two; hope to fix in the future).
Whiteboard: [sg:needinfo]
Dan, is there a bug about the softoken3 and freebl3 files? 
There's a simple solution to that problem
Dan,

Thanks for the quick reply. I checked the digital signature on both Thunderbird.exe and Firebird.exe and both appear to be as you described they should be.

I think you've nailed what happened. I was in Firefox when the dialog box popped up and I was typing/mouse clicking at that second. What probably appeared was not a dialog box about a Firefox update, but a dialog box about the Thunderbird update. Since I was in the process of typing/clicking when the box popped up that may have inadvertently caused the "ask me first" check to think I had clicked "OK" and so gone ahead with the installation. The popup didn't seem to look like the same dialog box I'm used to seeing for an update notification, but it all happened so fast I didn't get a good look.

Since the 2.0.0.23 update was issued yesterday and that's what my "About Thunderbird" box displays as the version I am now running, it's almost certain that it was the official 2.0.0.23 software update which flew past my screen and got installed. That's good news and eases my mind that it might have been "something else" that slipped in past my defenses.

Still, it might be a good idea for someone with expertise at this sort of thing to check and make sure nothing has happened to cause the "ask me first" function, in either Thunderbird or Firefox, from performing as it should (or maybe a second "Yes I'm sure" confirmation step should be added to the first "OK" step so that someone has to click confirmation a second time before the install proceeds, which would probably prevent what just happened with me in the same circumstances in the future?
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.