Mozilla patches critical vulnerabilities in Thunderbird

According to a security report issued by Mozilla, the company has patched multiple vulnerabilities in its open-source cross-platform email client Thunderbird. The report, released on March 25, addressed the exploits brought to their attention by researchers at Trend Micro’s Zero Day Initiative (namely Niklas Baumstark, Richard Zhu, and Amat Cama).

The vulnerabilities are rated on the Common Vulnerability Scoring System (CVSS) as critical, and though Mozilla does not disclose when they were first notified of the flaws, it appears that they took the warnings from researchers seriously. The vulnerabilities specifically involve Thunderbird’s IonMonkey JavaScript JIT (just-in-time) compiler and are patched in the Thunderbird 60.6.1 update.

The first vulnerability (CVE-2019-9810) deals with “incorrect alias information” in the “IonMonkey JIT compiler for Array.prototype.slice method which may lead to missing bounds check and a buffer overflow.” The second vulnerability (CVE-2019-9813) is described as "incorrect handling of __proto__ mutations" which "may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write."

Mozilla also states in the report that the actual exploitable danger lies not in the email client itself, but rather in a situation that involves internet browsers. In their words the company states the following:

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

This should not be taken as some sort of workaround for lazy users to put off updating their email client (assuming their updates are not set to auto). Just because scripting is disabled in certain contexts, thereby disabling the vulnerabilities, the vulnerabilities are still very much a threat. Especially with how much sensitive data is transmitted in email accounts these days, it would foolish to ignore the patch. Furthermore, if Black Hats did not already know about (CVE-2019-9810) and (CVE-2019-9813), they do now.

This is always the double-edged sword about releasing patch notes, as it not only notifies users but also alerts criminals looking to exploit unpatched exploits.

Featured image: Flickr / Marco Verch

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

54 mins ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

18 hours ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

22 hours ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

1 day ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

2 days ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

2 days ago