Mozilla has rolled-out the latest release of their Thunderbird email client with numerous security fixes. This month’s update carries the biggest number of security fixes amongst all previous Thunderbird releases in 2019. Allegedly, Thunderbird 60.7 brings patches for 16 different security flaws with severity levels.
High-Severity Patches With Thunderbird 60.7
This week, Mozilla released Thunderbird 60.7 version for the users. This version addresses 13 different high-severity flaws. Among these, a timing attack vulnerability (CVE-2019-9815) could affect Mac users in particular. To avail the patch for it, users must ensure upgrading to macOS 10.14.5. Another vulnerability (CVE-2019-11693) could specifically target Linux users as buffer overflow could affect bufferdata function in WebGL.
The latest Thunderbird also fixed 5 use-after-free flaws in various components, a type confusion vulnerability demonstrated with UnboxedObjects (CVE-2019-9816), and numerous others. It also patched a set of critical memory safety bugs (CVE-2019-9800) that also affected Firefox 66 and Firefox ESR 60.6 browsers. These vulnerabilities could allow arbitrary code execution when triggered.
Other Security Fixes
Apart from the high-severity bugs, Mozilla also patched some moderate severity flaws in Thunderbird. These include a memory leakage in Windows sandbox (CVE-2019-11694) affecting Windows users only, a flaw allowing theft of browsing history (CVE-2019-11698), and an out-of-bounds read vulnerability in Skia library (CVE-2019-5798).
As stated in their advisory, exploiting any of the flaws via email was not possible due to disabled scripting.
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
Nonetheless, the users must ensure updating to the latest version to prevent potential attacks.
Alongside Thunderbird, Mozilla has also launched updated versions of its browsers, Firefox 67 and Firefox ESR 60.7. These versions also carry fixes for numerous security bugs, including critical memory leakage flaws.
Take your time to comment on this article.