Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could allow code execution on impacted systems.
Mozilla released Thunderbird version 60.7.1 that addresses three High severity vulnerabilities and one Low risk issue.
The three High severity vulnerabilities addressed by Mozilla are
- CVE-2019-11703 – heap buffer overflow in the function
- CVE-2019-11704 – heap buffer overflow in the function
- CVE-2019-11705 – stack buffer overflow in the function
The Low risk issue, tracked as CVE-2019-11706, is a type confusion in icalproperty.c.
“Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit these vulnerabilities to take control of an affected system.” reads the advisory published by the US-CERT.
The vulnerabilities affect all the Thunderbird versions prior to 60.7.1.
Depending on the user’s privileges, an attacker could carry out several malicious activities, such as installing malicious applications and creating new admin accounts.
Mozilla credited the researcher Luis Merino of X41 D-Sec for the discovery of the above flaws. The vulnerabilities affect the implementation of iCal functions, they could be used to cause a crash of the system when processing specially crafted email messages.
The expert pointed out that the flaws cannot be triggered via email in Thunderbird because the scripting is disabled when reading mail. The issue could be exploitable in browser or browser-like contexts.
The good news is Mozilla is not aware of any attack exploiting the flaws in the wild.
(SecurityAffairs – Thunderbird, hacking)
The post Mozilla addressed flaws in Thunderbird that allow code execution appeared first on Security Affairs.