High-Impact DoS, Arbitrary Code Execution, Spoofing Bugs Fixed in Thunderbird 102.9.0

Multiple high-impact network security issues have been discovered in Thunderbird, which could result in Denial of Service (DoS) attacks in network security that lead to server crashes, access restrictions, arbitrary code execution, and spoofing breaches. These findings include a vulnerability that involves incorrect code generation during JIT compilation (CVE-2023-25751) and high-severity memory safety bugs, both of which were present in Thunderbird 102.8 (CVE-2023-28176).

Thunderbird 102.9.0 has been released as a security and bug fix update and the latest stable version of the open-source email client. This article will cover the cybersecurity vulnerabilities recently found in Thunderbird and fixed in version 102.9.0 to equip you with the information you need to protect against potential downtime and system compromise that could result from bugs exploiting your company. 

Thunderbird 102.9.0 Security Fixes

Thunderbird 102.9.0 fixes six moderate-to-high network security issues in email programs. The cybersecurity vulnerabilities addressed in version 102.9.0 include:

• CVE-2023-25751: Incorrect code generation during JIT compilation could lead to a potentially exploitable crash (high severity rating)
• CVE-2023-28164: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation, potentially leading to user confusion and website spoofing attacks (moderate severity rating)
• CVE-2023-28162: Invalid downcast in Worklets could lead to a potentially exploitable crash (moderate severity rating)
• CVE-2023-25752: Potential out-of-bounds when accessing throttled streams may have led future code to be incorrect and vulnerable (moderate severity rating)
• CVE-2023-28163: Windows Save As dialog resolved environment variables in the context of the current user (moderate severity rating)
• CVE-2023-28176: Memory safety bugs present in Thunderbird 102.8 showed evidence of memory corruption and could potentially be exploited to run arbitrary code (high severity rating)

The release also includes the following non-security fixes:

• Notification about a sender's changed OpenPGP key was not immediately visible
• TLS Certificate Override dialog did not appear when retrieving messages via IMAP using "Get Messages" context menu
• Spellcheck dictionaries were missing from localized Thunderbird builds that should have included them
• Tooltips for "Show/Hide" calendar toggle did not display

Upgrade to Thunderbird 102.9.0 Now!

In order to protect against dangerous exploits in cybersecurity, it is critical that all impacted users upgrade immediately. Existing Thunderbird installations should receive the update automatically as long as the automatic updates functionality has not been disabled by the administrator.

For users who prefer to update manually, this can be done by selecting “Help → About Thunderbird,” or by selecting the Settings icon in the new sidebar on the left. Thunderbird displays the installed version in a small overlay window in the interface. The email client performs an update check and will download and install updates that it finds during the check.

To stay on top of important updates released by the open-source programs and applications you use, be sure to register as a LinuxSecurity user. Subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use. This will enable you to stay up-to-date on the latest, most significant cybersecurity vulnerabilities impacting the data and network security of your systems.

Follow @LS_Advisories on X for real-time updates on advisories for your distro(s).