Thunderbird Succeeds in Obtaining its EFAIL Patch

Thunderbird has shoved code with patches for a dozen security flaws, containing the EFAIL encryption mess that occurred this May 2018. The EFAIL- precise patches state two flaws in Thunderbird’s managing of encoded messages: CVE-2018-12372, in which a hacker can create S/MIME and PGP decryption oracles in HTML messages; and CVE-2018-12373, in which S/MIME plain text can be dripped if a message is forwarded.

EFAIL was pronounced with a much-criticized method. The exposers emphasized the problem’s activity to read messages encoded with PGP and S/MIME – however the flaws were certain to client executions. Thunderbird customers will consequently welcome news that the user has joined the list of EFAIL – safe email tools.

Thunderbird 52.9 likewise contains certain perilous-rated patches. CVE-2018-12359 was a buffer overspill prominent to a possibly activity crash: “A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries.” While the further, CVE-2018-12360, is a routine-after-free, similarly with a possibly activity crash: “A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element.”

Matt Nelson, the security investigator had observed that the users under Windows 10, weren’t cautioned when they were opening implementable SettingContent-ms files (CVE-2018-12368). That flaw destined “unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited permission to execute arbitrary code without user interaction on Windows 10 systems”.

Thunderbird also acceded to some memory safety flaws from the Firefox code base, also patched. The developer’s program explained that numerous of the flaws aren’t straight utilizable in the e-mail customer, scripting is deactivated while reading the messages, however “are potentially risks in browser or browser-like contexts”.

Leave a Reply

Your email address will not be published. Required fields are marked *