TLP : CLEAR
Date : 22/04/2024
REF NO : CERT / 2024/04/34
Severity Level: Medium
Components Affected
Versions prior to:
Overview
Multiple vulnerabilities were identified in Mozilla Thunderbird. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution and security restriction bypass on the targeted system.
Description
Mozilla Thunderbird has been plagued by multiple vulnerabilities, as identified in recent reports. These vulnerabilities encompass a wide range of issues, from JIT optimization errors leading to potential memory corruption, to permission prompt input delays that render the application susceptible to clickjacking attacks by malicious websites. Among the critical concerns were instances where the JIT incorrectly optimized switch statements, resulting in out-of-bounds reads, and the creation of incorrect code for arguments, posing risks of use-after-free crashes during garbage collection. Furthermore, a particularly alarming revelation was the presence of memory safety bugs in versions Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9, with evidence suggesting memory corruption that could potentially be exploited to execute arbitrary code. Additionally, on Windows operating systems, the absence of executable file warnings when downloading .xrm-ms files raised concerns about users inadvertently exposing themselves to malicious payloads.
These vulnerabilities not only compromise the integrity and security of Mozilla Thunderbird but also underscore the importance of prompt mitigation measures. The potential consequences range from memory corruption and arbitrary code execution to the exploitation of out-of-bounds reads, which could grant attackers unauthorized access to sensitive information or the ability to execute malicious code remotely. Addressing these vulnerabilities requires a comprehensive approach, involving thorough auditing and patching of affected code, as well as implementing safeguards to prevent similar issues from arising in the future. Users are strongly advised to update their Thunderbird installations to the latest patched versions and exercise caution when downloading files, especially on Windows systems where the absence of executable file warnings poses a notable risk. By proactively addressing these vulnerabilities, Mozilla can uphold its commitment to user security and maintain the trust of its global community of Thunderbird users.
Impact
Solution/ Workarounds
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre