[原文]Mozilla Mail 1.7.1 and 1.7.3, and Thunderbird before 0.9, when HTML-Mails is enabled, allows remote attackers to determine valid e-mail addresses via an HTML e-mail that references a Cascading Style Sheets (CSS) document on the attacker's server.
Mozilla Multiple Products CSS Tag Email Address Enumeration
Remote / Network Access
Loss of Confidentiality
Mozilla and Thunderbird contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when Mozilla or Thuderbird follow a link to an external CSS file. This will disclose the existence of a valid email address even if the victim is using the built-in feature which blocks external html from being loaded when displaying an email, resulting in a loss of confidentiality.
Upgrade Thunderbird to version 0.9 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Disable HTML support in emails. This is found in the menu under "View" --> "Message Body As" --> "Plain Text" or "Simple HTML"