Mozilla Fixed Critical Vulnerabilities In Thunderbird 60.6.1

  • 145
  •  
  •  
  • 1
  •  
  •  
  •  
    146
    Shares

Mozilla recently rolled out patches for two critical vulnerabilities in its Thunderbird email client. The vulnerabilities allegedly affected its IonMonkey JIT compiler. Mozilla fixed the bugs with the release of Thunderbird 60.6.1.

Two Critical Vulnerabilities In Thunderbird 60.6.1

As disclosed in Mozilla’s security advisory, two critical vulnerabilities existed in Thunderbird IonMonkey JIT compiler. Mozilla confirmed rolling out patches for both the flaws with Thunderbird 60.6.1.

As reported, the first of these vulnerabilities CVE-2019-9810 could result in buffer overflow.

“Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow.”

Whereas, the second vulnerability (CVE-2019-9813) was an Ionmonkey type confusion.

“Incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write.”

Mozilla confirmed that the vulnerabilities could not be exploited via email due to the disabled scripting in the software. However, they were “potentially risky” in browser-like contexts. Therefore, the users must ensure upgrading their systems to the patched Thunderbird version to avoid any mishaps.

Mozilla credited the researchers from Trend Micro’s Zero Day Initiative for reporting both the vulnerabilities.

Second Update For Thunderbird In A Month

Although the present update 60.6.1 carries fixes for only two security bugs, Mozilla has already rolled-out updates just a couple of weeks before this update. At that time, Mozilla patched quite a bunch of vulnerabilities in Thunderbird version 60.6.

The update includes fixes for three critical security bugs, four high-severity flaws, and two moderate severity vulnerabilities. Among the critical flaws, CVE-2019-9791 and CVE-2019-9792 also existed in the IonMonkey just-in-time (JIT) compiler. Mozilla credited Samuel Groß from Google Project Zero for reporting both the bugs.

In addition, a high severity vulnerability CVE-2019-9795 also affected the IonMonkey JIT compiler. This type confusion flaw could potentially trigger an exploitable crash owing to malicious JavaScript.

With the release of Thunderbird 60.6, Mozilla also fixed memory safety bugs (CVE-2019-9788) that affected Firefox and Firefox ESR as well. The patches for the other two browsers were rolled out with Firefox 66, Firefox ESR 60.6. However, this time, Mozilla’s advisory did not mention any such update for the other browsers.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!