Thunderbird 60.7.2 Security Release Available, Upgrade if you use Thunderbird

From LinuxReviews
Jump to navigationJump to search
Firefox-tan.png

Users of the e-mail client Thunderbird from the Mozilla foundation corporation should absolutely upgrade to this latest versions of Thunderbird which fixes two security issues, one of which is really bad: the right special e-mail gets to run arbitrary code on your computer.

Thunderbird os tan.png

Upgrading is specially important if you are using an older version of Thunderbird.

Version 60.7, released on May 20th, fixed a very long list of problems. 60.7.1, released June 13th, addressed two heap buffer overflows. This latest release 60.7.2 release addresses two issues. The first of the fixed issues is current used to crash Thunderbird-users e-mail clients using a type confusion vulnerability which can be triggered by manipulating JavaScript objects using Array.pop. There is exploit code available and it is currently being used in the wild. It is so common that you can acquire exploit code by disabling your e-mail servers filtering systems for just at little as 30 minutes (The amount of garbage sent to your e-mail server will obviously vary, having ran this site since 2004 meant that in our case it's a lot).

The second issue fixed in Thunderbird 60.7.2 is more serious. It is described as:

"Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer."

CVE-2019-11708

The when combined with additional vulnerabilities part is somewhat concerning given the really long list of security-issues fixed in Thunderbird 60.7 and 60.7.1. Upgrading to a newer version of Thunderbird is specially important if you are using an older version like 60.5.1. The e-mail client crashing when you open a special bad e-mail is not good and the e-mail running random code on your machine is even worse.

The text-based e-mail client Mutt and the GTK-based Claws Mail do not have these kinds of problems.

You can find an overview of all the security problems with Thunderbird 60 since it's release in August, 2018 at https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/