Vulnerabilities in Thunderbird Email Client Allow Code Execution

Security updates released by Mozilla this week for the Thunderbird email client address vulnerabilities that could be exploited to execute arbitrary code on impacted systems. 

Available as version 60.7.1, the latest Thunderbird iteration addresses only four vulnerabilities. Of these, three were rated High severity and one Low risk. 

An attacker capable of exploiting the most severe of these vulnerabilities could execute arbitrary code on the vulnerable machine, the Multi-State Information Sharing and Analysis Center (MS-ISAC), a division of the Center for Internet Security, reveals in an advisory shared with SecurityWeek. 

“Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the advisory reads. 

Thus, if the impacted user account is configured with fewer user rights on the system, the attack could be less harmful compared to incidents where accounts with administrative user rights are compromised. 

The High severity bugs addressed in the popular email client this month include CVE-2019-11703 (heap buffer overflow in icalparser.c), CVE-2019-11704 (heap buffer overflow in icalvalue.c), and CVE-2019-11705 (stack buffer overflow in icalrecur.c). 

The Low risk vulnerability is CVE-2019-11706, a type confusion in icalproperty.c. 

All of these security bugs were reported by Luis Merino of X41 D-Sec and all affect Thunderbird’s implementation of iCal, leading to a crash when processing certain email messages. However, only the first three are considered exploitable. 

Normally these flaws cannot be exploited through email in Thunderbird, given that scripting is disabled when reading mail, but they could pose a risk in browser or browser-like contexts, the MS-ISAC advisory reveals. 

All Thunderbird versions prior to 60.7.1 are vulnerable, but there are no reports of these vulnerabilities being exploited in the wild. 

The MS-ISAC advisory also notes that the vulnerabilities pose a High risk to large and medium business and government entities, but only a Medium risk to small government and business entities. 

view counter

Original author: Ionut Arghire