Mozilla Patches Critical Vulnerability in Thunderbird 60.2.1

Mozilla has released Thunderbird version 60.2.1 to resolve numerous security updates in the mail program. One of these vulnerabilities is labeled as Critical as it could potentially lead to remote code execution.

In total there were seven vulnerabilities fixed in this update, with 1 being critical, 2 high, 3 moderate, and 1 rated as low. According to Mozilla, the critical vulnerability was related to memory corruption that they felt could be exploited to perform code execution.

“Memory safety bugs present in Firefox 61 and Firefox ESR 60.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.”

The other bugs are ones that could cause Thunderbird to crash, while the one rated as low is titled “CVE-2018-12383: Setting a master password post-Firefox 58 does not delete unencrypted previously stored passwords” and is strangely for Firefox and not Thunderbird.

According to the security advisory, the CVE-2018-12383 vulnerability could potentially allow users easy access to unencrypted passwords.

“If a user saved passwords before Firefox 58 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Firefox 58. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations.”

If you use Mozilla Thunderbird, it is strongly suggested that you upgrade to this latest version.