Mozilla’s email client Thunderbird exhibited several security flaws that posed a threat to users’ security. As reported, upon discovering these vulnerabilities in Thunderbird, Mozilla released patches in version 60.2.1.
Critical Vulnerability Discovered In Thunderbird
Mozilla has recently found multiple security vulnerabilities of varying severity degrees in its email client Thunderbird. As disclosed in their security advisory, Mozilla patched seven different vulnerabilities in Thunderbird 60.2.1.
This includes a critical security vulnerability (CVE-2018-12376) that could allow an attacker to execute arbitrary codes after gaining remote access to the target system. This vulnerability previously affected the Firefox 62 and Firefox ESR 60.2 browsers. As described regarding this flaw in their advisory,
“Mozilla developers and community members […] reported memory safety bugs present in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.”
Six Other Vulnerabilities In Thunderbird Also Patched
Apart from CVE-2018-12376, Mozilla also patched five other bugs including two high impact and three moderate impact vulnerabilities. These bugs directly affected Thunderbird resulting in a potential crash upon exploitation. The two high impact flaws include Use-after-free in refresh driver timers (CVE-2018-12377) and Use-after-free in IndexedDB (CVE-2018-12378). Whereas, the moderate impact bugs include Out-of-bounds write with malicious MAR file (CVE-2018-12379), Proxy bypass using automount and autofs (CVE-2017-16541), and Crash in TransportSecurityInfo due to cached data (CVE-2018-12385).
In addition, the vendors also patched a low impact vulnerability that could allow the users to access unencrypted passwords. This vulnerability also had a more significant impact on Firefox. As described,
“If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations.”
Although, Mozilla confirms that Thunderbird users remain potentially unaffected by these flaws. It is because the software has disabled scripting while reading emails. Nonetheless, owing to the potential risks in browser-like contexts, Mozilla highly recommends the users to update their software versions.
Let us know your thoughts about this article in the comments section below.