Mozilla patches critical vulnerabilities in Thunderbird

According to a security report issued by Mozilla, the company has patched multiple vulnerabilities in its open-source cross-platform email client Thunderbird. The report, released on March 25, addressed the exploits brought to their attention by researchers at Trend Micro’s Zero Day Initiative (namely Niklas Baumstark, Richard Zhu, and Amat Cama).

The vulnerabilities are rated on the Common Vulnerability Scoring System (CVSS) as critical, and though Mozilla does not disclose when they were first notified of the flaws, it appears that they took the warnings from researchers seriously. The vulnerabilities specifically involve Thunderbird’s IonMonkey JavaScript JIT (just-in-time) compiler and are patched in the Thunderbird 60.6.1 update.

The first vulnerability (CVE-2019-9810) deals with “incorrect alias information” in the “IonMonkey JIT compiler for Array.prototype.slice method which may lead to missing bounds check and a buffer overflow.” The second vulnerability (CVE-2019-9813) is described as "incorrect handling of __proto__ mutations" which "may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write."

Mozilla also states in the report that the actual exploitable danger lies not in the email client itself, but rather in a situation that involves internet browsers. In their words the company states the following:

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

This should not be taken as some sort of workaround for lazy users to put off updating their email client (assuming their updates are not set to auto). Just because scripting is disabled in certain contexts, thereby disabling the vulnerabilities, the vulnerabilities are still very much a threat. Especially with how much sensitive data is transmitted in email accounts these days, it would foolish to ignore the patch. Furthermore, if Black Hats did not already know about (CVE-2019-9810) and (CVE-2019-9813), they do now.

This is always the double-edged sword about releasing patch notes, as it not only notifies users but also alerts criminals looking to exploit unpatched exploits.

Featured image: Flickr / Marco Verch

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Baidu apps expose data of Google Play Store customers

Two apps from Chinese tech giant Baidu that had been available in the Google Play…

5 hours ago

Shining a light on the dark shadow cast by shadow IT

Employees who don’t have the tools to get their jobs done sometimes turn to the…

10 hours ago

Microsoft 365 troubleshooting: Diagnostic tools at your fingertips

Many Exchange Server troubleshooting tools don’t work with Microsoft 365. Fortunately, Microsoft has a bunch…

3 days ago

LSU hospitals latest health system hit by cyberattack

The LSU hospital system has experienced a breach of patient data after a cyberattack as…

3 days ago

Business email compromise cybercrime group members busted

Business email compromise cyberattacks have been on the rise, and now some allegedly prominent players…

4 days ago

Making retail mobile e-commerce apps more secure

Many e-commerce mobile apps are insecure, opening the businesses that use them to severe risks.…

5 days ago