Mozilla has resolved a critical vulnerability in the Thunderbird email client which could lead to the execution of arbitrary code by attackers.
The resolution of the vulnerability is part of the Thunderbird version 60.2.1 update, which also tackled two high-risk bugs, three vulnerabilities issued with a moderate risk rating, and one low-level security flaw.
The first high-risk vulnerability, CVE-2018-12377 is a use-after-free bug found in Thunderbird's refresh driver timers. If the timer is deleted at the same time refresh drivers are being refreshed during shut down, this can cause the email client to crash.
The first is an out-of bounds write issue caused by opening malicious MAR files leading to a Thunderbird crash; while the second is a proxy bypass circumvention issue present in automount features.
The third vulnerability is a data cache issue present in the TransportSecurityInfo facility which, if exploited, can trigger a startup crash for Thunderbird users switching between the Nightly and Release versions of Firefox when the same profile is in use.
The last problem resolved in this update is CVE-2018-12383, a low-risk bug which may, in some contexts, expose unencrypted copies of passwords.
TechRepublic: How to use Firefox's about:config
"If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible," Mozilla says. "This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations."
Mozilla notes that in general, Thunderbird users most likely won't be affected by these vulnerabilities as scripting is disabled when reading mail; however, there is still some danger in relation to browser contexts.
As a result, Thunderbird users should consider updating their software builds immediately.