Mozilla issued a critical security update to its popular open-source Thunderbird email client. The patch was part of a December release of five fixes that included two bugs rated high and one rated moderate and another low.

Mozilla said Thunderbird, which is also serves as a news, RSS and chat client, the latest Thunderbird 52.5.2 version released last week fixes the vulnerabilities.

The most serious of the fixes is a critical buffer overflow bug (CVE-2017-7845) impacting Thunderbird running on the Windows operating system. The bug is present when “drawing and validating elements with angle library using Direct 3D 9,” according to the Mozilla Foundation Security Advisory.

“A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash,” Mozilla wrote.

The same critical vulnerability (CVE-2017-7845) was reported and patched earlier this month in Mozilla’s Firefox web browser. That issue was resolved in Firefox 57.0.2, released on December 7.

The two security issues rated high were CVE-2017-7846 and CVE-2017-7847. The first is described as a flaw in Thunderbird’s RSS reader. “It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via ‘View -> Feed article -> Website’ or in the standard format of ‘View -> Feed article -> default format’,” Mozilla said.

In the case of the second high-severity vulnerability, “crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name,” they said.

The remaining moderate (CVE-2017-7848) and low (CVE-2017-7829) vulnerabilities are a RSS bug and a bug impacting email.

“It is possible to spoof the sender’s email address and display an arbitrary sender address to the email recipient. The real sender’s address is not displayed if preceded by a null character in the display string,” wrote Mozilla regarding the low-level vulnerability.

The attention to Firefox comes just as Mozilla has announced plans to update Thunderbird’s codebase. Earlier this year Mozilla said it would update Thunderbird’s UI, code and align it more closely with Firefox by phasing out support for legacy add-ons built on the XUL and XPCOM APIs.

to read the original article:

Mozilla Patches Critical Bug in Thunderbird

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Spoofed Emails from Supposedly Corporate Printer Vendors Install Backdoor

Corporate printers and scanners related emails are quite common in large organizations and this particular aspect is now deemed as a potential opportunity for exploitation by cybercriminals. According to the findings of Barracuda Networks, there is a sudden rise in attacks involving HP, Canon and Epson printer and scanner email […]