Mozilla today released an important security update for Thunderbird. It fixes several vulnerabilities, including a data leak that attackers could exploit to leak sensitive information.
With today’s update to Thunderbird 102.2.1, the developers are closing four security holes in Mozilla’s mail program. Mozilla classifies one vulnerability (CVE-2022-3033) as high risk, the other three vulnerabilities are considered medium risk. In addition, numerous non-safety-related errors are eliminated.
With a specially crafted email, an attacker could cause Thunderbird to call an attacker-controlled Internet address (URL), execute Javascript code, and send data to that URL. In order to exploit the CVE-2022-3033 vulnerability, the prepared HTML mail must contain a meta tag with the attribute “http-equiv=”refresh”” whose content attribute specifies a URL. If a user composes a reply to this mail, Thunderbird would connect to this URL, even if the mail program is configured to block external content.
With more HTML constructs, javascript could be executed while the reply mail is still open. For example, the javascript code could read, modify and/or send parts of the response to said URL or even change the target URL. The quoted content of the original mail could also be manipulated and/or diverted, even if it was originally encrypted. Even if the user decided not to send the reply email at all, the content of the reply that had been written or added up to that point might have slipped away unnoticed.
▶The latest security updates
If you have set Thunderbird to display the text of the mail as “simple html” or “plain text” by default, this vulnerability does not affect you.
More vulnerabilities with less risk
Another vulnerability, CVE-2022-3032, allows Thunderbird to download external content even if it is blocked by default. To do this, a prepared mail must contain an iframe element in which an srcdoc attribute refers to a file on the Internet. This could be an image or a video. Thunderbird would load and display this file.
The CVE-2022-3034 vulnerability is similar to the aforementioned vulnerability, however, Thunderbird would not display the external file. However, the request to the computer on the Internet would go out, which would at least tell the attacker that the e-mail had been opened. This is exactly what should be avoided.
Finally, the fourth vulnerability, CVE-2022-36059, can be exploited to perform a Denial of Service (DoS) attack. The prerequisite is that the user is using the Matrix chat protocol and the attacker is in the same chat room.
Thunderbird 91.x is obsolete
Mozilla retired the Thunderbird 91.x version branch after the update to version 91.13.0 on August 23 and is not providing any further updates. If you are still working with this generation of the mail program, you should update to Thunderbird 102. Only for this new generation, Mozilla continues to provide security updates, new features and bug fixes.
