Mozilla patches critical vulnerabilities in Thunderbird

According to a security report issued by Mozilla, the company has patched multiple vulnerabilities in its open-source cross-platform email client Thunderbird. The report, released on March 25, addressed the exploits brought to their attention by researchers at Trend Micro’s Zero Day Initiative (namely Niklas Baumstark, Richard Zhu, and Amat Cama).

The vulnerabilities are rated on the Common Vulnerability Scoring System (CVSS) as critical, and though Mozilla does not disclose when they were first notified of the flaws, it appears that they took the warnings from researchers seriously. The vulnerabilities specifically involve Thunderbird’s IonMonkey JavaScript JIT (just-in-time) compiler and are patched in the Thunderbird 60.6.1 update.

The first vulnerability (CVE-2019-9810) deals with “incorrect alias information” in the “IonMonkey JIT compiler for Array.prototype.slice method which may lead to missing bounds check and a buffer overflow.” The second vulnerability (CVE-2019-9813) is described as "incorrect handling of __proto__ mutations" which "may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write."

Mozilla also states in the report that the actual exploitable danger lies not in the email client itself, but rather in a situation that involves internet browsers. In their words the company states the following:

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

This should not be taken as some sort of workaround for lazy users to put off updating their email client (assuming their updates are not set to auto). Just because scripting is disabled in certain contexts, thereby disabling the vulnerabilities, the vulnerabilities are still very much a threat. Especially with how much sensitive data is transmitted in email accounts these days, it would foolish to ignore the patch. Furthermore, if Black Hats did not already know about (CVE-2019-9810) and (CVE-2019-9813), they do now.

This is always the double-edged sword about releasing patch notes, as it not only notifies users but also alerts criminals looking to exploit unpatched exploits.

Featured image: Flickr / Marco Verch

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

1 day ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

1 day ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

1 day ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

2 days ago

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

2 days ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

2 days ago