Mozilla resolves critical code execution flaw in Thunderbird email client

The severe bug has been smoothed over as part of a wider security update.

Mozilla has resolved a critical vulnerability in the Thunderbird email client which could lead to the execution of arbitrary code by attackers.

Mozilla begins process of letting Firefox rust

In August, Firefox will ship its first feature across all desktop platforms built using its Rust language.

Read More

The security flaw, CVE-2018-12376, is a memory corruption issue that "with enough effort" could be exploited in order to run arbitrary code, according to Mozilla's security advisory.

The resolution of the vulnerability is part of the Thunderbird version 60.2.1 update, which also tackled two high-risk bugs, three vulnerabilities issued with a moderate risk rating, and one low-level security flaw.

The first high-risk vulnerability, CVE-2018-12377 is a use-after-free bug found in Thunderbird's refresh driver timers. If the timer is deleted at the same time refresh drivers are being refreshed during shut down, this can cause the email client to crash.

See also: Mozilla rolls out recovery key option for Firefox accounts

The second dangerous bug which has been resolved in the update is CVE-2018-12378, another use-after-free bug which occurs when "an IndexedDB index is deleted while still in use by JavaScript code that is providing payload values to be stored." This, too, can result in an exploitable crash.

CNET: Mozilla gives Firefox Focus a browser brain transplant on Android

Three moderate vulnerabilities, CVE-2018-12379, CVE-2017-16541, and CVE-2018-12385 have all also been patched.

The first is an out-of bounds write issue caused by opening malicious MAR files leading to a Thunderbird crash; while the second is a proxy bypass circumvention issue present in automount features.

The third vulnerability is a data cache issue present in the TransportSecurityInfo facility which, if exploited, can trigger a startup crash for Thunderbird users switching between the Nightly and Release versions of Firefox when the same profile is in use.

The last problem resolved in this update is CVE-2018-12383, a low-risk bug which may, in some contexts, expose unencrypted copies of passwords.

TechRepublic: How to use Firefox's about:config

"If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible," Mozilla says. "This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations."

Mozilla notes that in general, Thunderbird users most likely won't be affected by these vulnerabilities as scripting is disabled when reading mail; however, there is still some danger in relation to browser contexts.

As a result, Thunderbird users should consider updating their software builds immediately.

Previous and related coverage