Mozilla issued a critical security update to address five flaws in the popular open-source Thunderbird email client.
The latest release, Thunderbird 52.5.2 version, fixes the vulnerabilities, including two issues rated as high, one rated moderate and another low.
The most severe flaw fixed with the Thunderbird 52.5.2 version is a critical buffer overflow vulnerability (tracked as CVE-2017-7845) that affects Thunderbird running on the Windows operating system.
“A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash.” reads the security advisory published by the Mozilla Foundation.
The two security vulnerabilities rated as high were CVE-2017-7846 and CVE-2017-7847. The first one (CVE-2017-7846) affects the Thunderbird’s RSS reader.
The second high-severity issue tracked as CVE-2017-7847 also affect the RSS reader.
“Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name.” states the advisory.
The moderate issue tracked as CVE-2017-7848 also affects the RSS feed, while low issue tracked as CVE-2017-7829 impacts email.
“It is possible to spoof the sender’s email address and display an arbitrary sender address to the email recipient. The real sender’s address is not displayed if preceded by a null character in the display string.” reads Mozilla’s advisory.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.