According to a security report issued by Mozilla, the company has patched multiple vulnerabilities in its open-source cross-platform email client Thunderbird. The report, released on March 25, addressed the exploits brought to their attention by researchers at Trend Micro’s Zero Day Initiative (namely Niklas Baumstark, Richard Zhu, and Amat Cama).
The first vulnerability (CVE-2019-9810) deals with “incorrect alias information” in the “IonMonkey JIT compiler for Array.prototype.slice method which may lead to missing bounds check and a buffer overflow.” The second vulnerability (CVE-2019-9813) is described as "incorrect handling of __proto__ mutations" which "may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write."
Mozilla also states in the report that the actual exploitable danger lies not in the email client itself, but rather in a situation that involves internet browsers. In their words the company states the following:
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
This should not be taken as some sort of workaround for lazy users to put off updating their email client (assuming their updates are not set to auto). Just because scripting is disabled in certain contexts, thereby disabling the vulnerabilities, the vulnerabilities are still very much a threat. Especially with how much sensitive data is transmitted in email accounts these days, it would foolish to ignore the patch. Furthermore, if Black Hats did not already know about (CVE-2019-9810) and (CVE-2019-9813), they do now.
This is always the double-edged sword about releasing patch notes, as it not only notifies users but also alerts criminals looking to exploit unpatched exploits.
Featured image: Flickr / Marco Verch