It hasn’t been long since Mozilla last released updates for its Thunderbird email client however yet again, they’ve needed to add security fixes with the program. Therefore, they now have rolled out Thunderbird 60.7.1 containing patches for four different vulnerabilities.
Multiple High-Severity Security Fixes
This week, Mozilla has rolled out an updated version of its email client. The Thunderbird 60.7.1 which reportedly carries patches for numerous high-severity bugs.
As revealed through Mozilla’s security advisory, the updated Thunderbird version addresses three different vulnerabilities with high-severity rating. All these vulnerabilities existed in the implementation of iCal by Thunderbird while processing some emails and any of these bugs could lead to a potentially exploitable crash.
Precisely, these vulnerabilities include a heap buffer overflow in icalparser.c (CVE-2019-11703), another heap buffer overflow in icalvalue.c (CVE-2019-11704), and a stack buffer overflow in icalrecur.c (CVE-2019-11705).
Single Low-Severity Bug Fix With Thunderbird 60.7.1
In addition to the above mentioned high-severity vulnerabilities, the updated Thunderbird client also addressed a low-severity bug. This flaw also existed in the implementation of iCal when processing certain emails. This type confusion bug in icalproperty.c (CVE-2019-11706) could result in a system crash upon an exploit.
All the four vulnerabilities have received fixes with Thunderbird version 60.7.1. The researcher Luis Merino of X41 D-Sec reported these flaws, which Mozilla then went on to fix.
Unlike the usual trend for Thunderbird bugs which couldn’t be exploited in the Thunderbird client, these vulnerabilities were potentially exploitable as they meddled with the email processing. Therefore, the users must ensure updating their systems promptly to the patched versions to stay protected from potential exploits.
Around a week before the Thunderbird update, Mozilla also fixed a moderate severity bug affecting Firefox browser. As disclosed in its advisory, the vulnerability (CVE-2019-11702) allowed using Internet Explorer protocols to open local files at a known location. This vulnerability typically affected Windows users only, leaving the users of other operating systems unaffected. The vendors rolled out the fix for this bug with the release of Firefox version 67.0.2.
Take your time to comment on this article.