Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities in Thunderbird Email Client Allow Code Execution

Security updates released by Mozilla this week for the Thunderbird email client address vulnerabilities that could be exploited to execute arbitrary code on impacted systems. 

Security updates released by Mozilla this week for the Thunderbird email client address vulnerabilities that could be exploited to execute arbitrary code on impacted systems. 

Available as version 60.7.1, the latest Thunderbird iteration addresses only four vulnerabilities. Of these, three were rated High severity and one Low risk. 

An attacker capable of exploiting the most severe of these vulnerabilities could execute arbitrary code on the vulnerable machine, the Multi-State Information Sharing and Analysis Center (MS-ISAC), a division of the Center for Internet Security, reveals in an advisory shared with SecurityWeek

“Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the advisory reads. 

Thus, if the impacted user account is configured with fewer user rights on the system, the attack could be less harmful compared to incidents where accounts with administrative user rights are compromised. 

The High severity bugs addressed in the popular email client this month include CVE-2019-11703 (heap buffer overflow in icalparser.c), CVE-2019-11704 (heap buffer overflow in icalvalue.c), and CVE-2019-11705 (stack buffer overflow in icalrecur.c). 

The Low risk vulnerability is CVE-2019-11706, a type confusion in icalproperty.c. 

All of these security bugs were reported by Luis Merino of X41 D-Sec and all affect Thunderbird’s implementation of iCal, leading to a crash when processing certain email messages. However, only the first three are considered exploitable. 

Normally these flaws cannot be exploited through email in Thunderbird, given that scripting is disabled when reading mail, but they could pose a risk in browser or browser-like contexts, the MS-ISAC advisory reveals. 

All Thunderbird versions prior to 60.7.1 are vulnerable, but there are no reports of these vulnerabilities being exploited in the wild. 

The MS-ISAC advisory also notes that the vulnerabilities pose a High risk to large and medium business and government entities, but only a Medium risk to small government and business entities. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.