Mozilla addressed flaws in Thunderbird that allow code execution

Pierluigi Paganini June 14, 2019

Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could allow code execution on impacted systems. 

Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could be exploited by attackers to execute arbitrary code on impacted systems. 

Mozilla released Thunderbird version 60.7.1 that addresses three High severity vulnerabilities and one Low risk issue. 

The three High severity vulnerabilities addressed by Mozilla are:

  • CVE-2019-11703 – heap buffer overflow in the function icalparser.c;
  • CVE-2019-11704 – heap buffer overflow in the function icalvalue.c;
  • CVE-2019-11705 – stack buffer overflow in the function calrecur.c; 

The Low risk issue, tracked as CVE-2019-11706, is a type confusion in icalproperty.c. 

“Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit these vulnerabilities to take control of an affected system.” reads the advisory published by the US-CERT.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60.7.1 and apply the necessary update.” 

The vulnerabilities affect all the Thunderbird versions prior to 60.7.1.  

Depending on the user’s privileges, an attacker could carry out several malicious activities, such as installing malicious applications and creating new admin accounts. 

Mozilla credited the researcher Luis Merino of X41 D-Sec for the discovery of the above flaws. The vulnerabilities affect the implementation of iCal functions, they could be used to cause a crash of the system when processing specially crafted email messages.

The expert pointed out that the flaws cannot be triggered via email in Thunderbird because the scripting is disabled when reading mail. The issue could be exploitable in browser or browser-like contexts.

The good news is Mozilla is not aware of any attack exploiting the flaws in the wild.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Thunderbird, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment