New Thunderbird Vulns Threaten Sensitive Data, System Availability
Several significant vulnerabilities have been found in the widely used Thunderbird email client. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could exploit these issues to cause a denial of service, obtain sensitive data, bypass security restrictions, perform cross-site tracing, execute arbitrary code, or escalate privileges on impacted systems.
What Are These Vulnerabilities & How Do They Impact Me?
The following security issues were discovered and fixed in Thunderbird:
- If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, perform cross-site tracing, or execute arbitrary code. (CVE-2023-6858)
- Thunderbird did not properly parse a PGP/MIME payload that contains digitally signed text. An attacker could exploit this issue to spoof an email message. (CVE-2023-50762)
- Thunderbird did not properly compare the signature creation date with the message date and time when using a digitally signed S/MIME email message. An attacker could exploit this issue to spoof the date and time of an email message. (CVE-2023-50761)
- Thunderbird did not properly manage memory when used on systems with the Mesa VM driver. An attacker could exploit this issue to execute arbitrary code. (CVE-2023-6856)
- Thunderbird did not properly validate the textures produced by remote decoders. An attacker could exploit this issue to escape the sandbox. (CVE-2023-6860)
- An attacker could escalate privileges through devtools, enabling them to view additional infrastructure to attack, add or delete users, or modify permissions of files or other users. (CVE-2024-0751)
- Bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 threaten memory safety (CVE-2024-0755).
Exploitation of these bugs could result in the compromise of sensitive information or loss of system availability.
How Can I Secure My Linux Systems?
A crucial update for Thunderbird has been released to fix these impactful vulnerabilities. Given these flaws’ severe threat to affected systems, if left unpatched, we strongly recommend all impacted users apply the updates released by Mageia, Oracle, Slackware, and Ubuntu to protect against data theft and loss of system access.
To stay on top of essential updates released by the open-source programs and applications you use, register as a LinuxSecurity user, subscribe to our Linux Advisory Watch newsletter, and customize your advisories for your distro(s). This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.
Follow @LS_Advisories on X for real-time updates on advisories for your distro(s).