Multiple vulnerabilities have been identified in Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution.
Mozilla released version 68.1 which includes fixes for multiple vulnerabilities discovered in previous versions. These vulnerabilities allow for arbitrary code execution using the security context of the user running Thunderbird. This means that admin accounts using Thunderbird should have the highest priority in your update deployment.
Security vulnerabilities fixed in Thunderbird 68.1
- CVE-2019-11739 – Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message.
- CVE-2019-11746 – Use-after-free while manipulating video.
- CVE-2019-11744 – XSS by breaking out of title and Textarea elements using innerHTML.
- CVE-2019-11742 – Same-origin policy violation with SVG filters and canvas to steal cross-origin images.
- CVE-2019-11752 – Use-after-free while extracting a key value in IndexedDB.
- CVE-2019-11740 – Memory safety bugs fixed in multiple Mozilla products.
Get A Report of all Vulnerable Thunderbird Installations
If you currently have Mozilla Thunderbird deployed on your workstations, it’s pretty critical that you update it at the earliest opportunity to ensure that you don’t fall prey to these vulnerabilities. Our custom Thunderbird Vulnerability Audit Report can tell you in no time which devices have an outdated Firefox version in place and need to be patched.
If you haven’t already, start your free Lansweeper trial and get a list of all vulnerable Mozilla Thunderbird versions in no time.