Is Linux less susceptable to hacking via an email that does not involve clicking on anything?

Being a patron, and not using Telegram very much, I thought maybe this forum might be a good place to ask this question.
I use the Thunderbird email client rather than using webmail. Last month our Australian National University (ANU) revealed that a very serious hacking breach was executed in a way that worries me:
ANU said the attack was initiated in November 2018 via a spearphishing email that was previewed by a senior staffer.
“Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment,” the university said.
So my question is, presuming the senior staffer was using a Windows OS, is Linux less susceptable to this kind of attack?

That would depend if the code was windows specific or cross platform. If it was able to run on a Linux system then it would probably require admin privileges to run so that would require the user to allow it to execute by inputting an admin password, which is often blocked to general users on networked systems in the corporate and public sectors.

So the short answer is Linux is not immune this type of attack but as most people/criminals who try these attacks are going for the easy target it is more likely to be a windows attack vector, so a Linux system is likely to be less vulnerable.

1 Like

@Pieter-v, big welcome to the forum! Telegram is short-form so this is the right place to ask :slight_smile:

I agree with @mintCastTony Linux specific exploits will be a lot less common and Thunderbird specific ones won’t be either though the recommendation is always, “security through obscurity is no security at all”.

Because the UI is written in Javascript:

https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Thunderbird_extensions/Building_a_Thunderbird_extension_5:_XUL

…and a lot about Email is standardized, most of the exploits for Thunderbird have been cross platform:

https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=thunderbird&cveid=&msid=&bidno=&cweid=&cvssscoremin=&cvssscoremax=&psy=&psm=&pey=&pem=&usy=&usm=&uey=&uem=

As for privileges whenever I hear about malicious code it’s often using a second bug to achieve privilege escalation (though that’s a lot harder in Linux) but even if it doesn’t Thunderbird is already running with user level privileges which has access to the home folder, most apps, and it can send/receive to the Internet so it’s is still a real issue however unlikely it’ll make it that far.

Local clients like Thunderbird will also reveal your public IP address to whomever you send an Email to in the header (this is a standard, not the fault of Thunderbird), I ran a test through gmail SMTP and the recipient got the following personal info:

Received: from [my local ip was here] ([my public ip was here])

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0

If you want to avoid giving out your public IP you’ll need to use a VPN or send Email with a Website based client instead like protonmail.com or gmail.com though the User-Agent line will still be there.

I’d say Thunderbird is ok for security if you make sure it’s only rendering Email in plain text and stays up to date. If you want more security you’d want a Web client on a trusted platform.

Thank you, both mintCastTony and Ulfnic. Both comments are very helpful in understanding more about how Linux and Thunderbird work in relation to user security.
I use PIA vpn, upon system start-up. However will look at the other measures you suggested as well.
Cheers

I’m curious to know how the breach occurred if the attachment was not opened. Now, I’m not email expert, but it could very well be that there was a transparent layer that was activated upon clicking the message. I have not heard of this tactic being used in email, but it is known as click-jacking on websites. If this is how this breach occurred, then the only recourse might be to disable html messages and revert back to text only. Not the best solution, I know, but one that would work.

It was a very interesting incident. You can read more about it here:

1 Like

I know with attachments one way is through antivirus because some of them scan attachments before you even look at the email. Here’s an example with Norton and they’ve had a lot like these:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1451

These are extremely rare and expensive hacks. Last I’ve heard of this was involving Apple’s iMessage.

I’m not a coder nor a security specialist but email has always been “dumb” in that, it should not execute anything because it should be just static text. Granted, it does not stop companies from developing “content-rich” email which may have executable codes/javascript, etc. If I recall correctly, Google is pushing for more “fun” stuff in your email like movies and animations and stuff (for marketing/advertising purposes). Couple this with advances in steganography (which can hide malicious code/scripts via images or sound files) and now you have an environment which can execute code without opening anything.

Just to secure your thunderbird client, make sure that “remote content” like images are disabled by default (its somewhere in the preferences/settings). This should protect you from the more common attack vectors via email.