Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could be exploited by attackers to execute arbitrary code on impacted systems.
Mozilla released Thunderbird version 60.7.1 that addresses three High severity vulnerabilities and one Low risk issue.
The three High severity vulnerabilities addressed by Mozilla are
The Low risk issue, tracked as CVE-2019-11706, is a type confusion in icalproperty.c.
“Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit these vulnerabilities to take control of an affected system.” reads the advisory published by the US-CERT.
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60.7.1 and apply the necessary update.”
The vulnerabilities affect all the Thunderbird versions prior to 60.7.1.
Depending on the user’s privileges, an attacker could carry out several malicious activities, such as installing malicious applications and creating new admin accounts.
Mozilla credited the researcher Luis Merino of X41 D-Sec for the discovery of the above flaws. The vulnerabilities affect the implementation of iCal functions, they could be used to cause a crash of the system when processing specially crafted email messages.
The expert pointed out that the flaws cannot be triggered via email in Thunderbird because the scripting is disabled when reading mail. The issue could be exploitable in browser or browser-like contexts.
The good news is Mozilla is not aware of any attack exploiting the flaws in the wild.
(SecurityAffairs – Thunderbird, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.