Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities in Thunderbird Email Client Allow Code Execution

Security updates released by Mozilla this week for the Thunderbird email client address vulnerabilities that could be exploited to execute arbitrary code on impacted systems. 

Security updates released by Mozilla this week for the Thunderbird email client address vulnerabilities that could be exploited to execute arbitrary code on impacted systems. 

Available as version 60.7.1, the latest Thunderbird iteration addresses only four vulnerabilities. Of these, three were rated High severity and one Low risk. 

An attacker capable of exploiting the most severe of these vulnerabilities could execute arbitrary code on the vulnerable machine, the Multi-State Information Sharing and Analysis Center (MS-ISAC), a division of the Center for Internet Security, reveals in an advisory shared with SecurityWeek

“Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the advisory reads. 

Thus, if the impacted user account is configured with fewer user rights on the system, the attack could be less harmful compared to incidents where accounts with administrative user rights are compromised. 

The High severity bugs addressed in the popular email client this month include CVE-2019-11703 (heap buffer overflow in icalparser.c), CVE-2019-11704 (heap buffer overflow in icalvalue.c), and CVE-2019-11705 (stack buffer overflow in icalrecur.c). 

The Low risk vulnerability is CVE-2019-11706, a type confusion in icalproperty.c. 

All of these security bugs were reported by Luis Merino of X41 D-Sec and all affect Thunderbird’s implementation of iCal, leading to a crash when processing certain email messages. However, only the first three are considered exploitable. 

Advertisement. Scroll to continue reading.

Normally these flaws cannot be exploited through email in Thunderbird, given that scripting is disabled when reading mail, but they could pose a risk in browser or browser-like contexts, the MS-ISAC advisory reveals. 

All Thunderbird versions prior to 60.7.1 are vulnerable, but there are no reports of these vulnerabilities being exploited in the wild. 

The MS-ISAC advisory also notes that the vulnerabilities pose a High risk to large and medium business and government entities, but only a Medium risk to small government and business entities. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.