Mozilla patches critical vulnerabilities in Thunderbird

According to a security report issued by Mozilla, the company has patched multiple vulnerabilities in its open-source cross-platform email client Thunderbird. The report, released on March 25, addressed the exploits brought to their attention by researchers at Trend Micro’s Zero Day Initiative (namely Niklas Baumstark, Richard Zhu, and Amat Cama).

The vulnerabilities are rated on the Common Vulnerability Scoring System (CVSS) as critical, and though Mozilla does not disclose when they were first notified of the flaws, it appears that they took the warnings from researchers seriously. The vulnerabilities specifically involve Thunderbird’s IonMonkey JavaScript JIT (just-in-time) compiler and are patched in the Thunderbird 60.6.1 update.

The first vulnerability (CVE-2019-9810) deals with “incorrect alias information” in the “IonMonkey JIT compiler for Array.prototype.slice method which may lead to missing bounds check and a buffer overflow.” The second vulnerability (CVE-2019-9813) is described as “incorrect handling of __proto__ mutations” which “may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write.”

Mozilla also states in the report that the actual exploitable danger lies not in the email client itself, but rather in a situation that involves internet browsers. In their words the company states the following:

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

This should not be taken as some sort of workaround for lazy users to put off updating their email client (assuming their updates are not set to auto). Just because scripting is disabled in certain contexts, thereby disabling the vulnerabilities, the vulnerabilities are still very much a threat. Especially with how much sensitive data is transmitted in email accounts these days, it would foolish to ignore the patch. Furthermore, if Black Hats did not already know about (CVE-2019-9810) and (CVE-2019-9813), they do now.

This is always the double-edged sword about releasing patch notes, as it not only notifies users but also alerts criminals looking to exploit unpatched exploits.

Featured image: Flickr / Marco Verch

2 thoughts on “Mozilla patches critical vulnerabilities in Thunderbird”

  1. The Mozilla link appears to be about 14yo bugs in Firefox, as opposed to anything to do with Thunderbird …

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top