Thunderbird has released a new version to address a dozen security vulnerabilities, including the EFAIL encryption issue that was discovered in May.
The new version addresses two EFAIL-related issues in the way Thunderbird handles encrypted messages.
“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” reads the blog post published by the researchers that discovered the EFAIL flaw.
“To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”
The new Thunderbird 52.9 addresses the CVE-2018-12372 flaw that can be exploited by attackers to build S/MIME and PGP decryption stubs in HTML messages.
“Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a HTML reply/forward.” reads the security advisory published by the Mozilla Foundation.
The new version also fixes the CVE-2018-12373 flaw that could result in the leakage of S/MIME plaintext when a message is forwarded.
Thunderbird 52.9 also addresses some critical flaws such as the CVE-2018-12359 that is a buffer overflow vulnerability that could be exploited to crash a vulnerable system
“A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries.”
The new release also fixes a use-after-free flaw tracked as CVE-2018-12360 that could be exploited to crash a target system.
“A use-after-free vulnerability can occur when deleting an
input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.” continues the advisory.
Another security issue is related to the executable SettingContent-ms files, the security researcher Matt Nelson discovered that Windows 10 users weren’t getting warned when they were opening such kind of files. This issue was tracked as CVE-2018-12368 and could be used by attackers to execute arbitrary code by tricking users into opening the files.
“Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the “Mark of the Web.” continues the advisory.
“Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems”.
Thunderbird also addressed some memory sasome memoryat derived from the Firefox code base.
The good news is that the bugs coild not ne directly exploitable in the e-mail client because scripting is disabled while users are reading messages.
(Security Affairs – Thunderbird, EFAIL)