Mozilla today released an important security update for Thunderbird. It fixes several vulnerabilities, including a data leak that attackers could exploit to leak sensitive information.
With today’s update to Thunderbird 102.2.1, the developers are closing four security holes in Mozilla’s mail program. Mozilla classifies one vulnerability (CVE-2022-3033) as high risk, the other three vulnerabilities are considered medium risk. In addition, numerous non-safety-related errors are eliminated.
▶The latest security updates
If you have set Thunderbird to display the text of the mail as “simple html” or “plain text” by default, this vulnerability does not affect you.
More vulnerabilities with less risk
Another vulnerability, CVE-2022-3032, allows Thunderbird to download external content even if it is blocked by default. To do this, a prepared mail must contain an iframe element in which an srcdoc attribute refers to a file on the Internet. This could be an image or a video. Thunderbird would load and display this file.
The CVE-2022-3034 vulnerability is similar to the aforementioned vulnerability, however, Thunderbird would not display the external file. However, the request to the computer on the Internet would go out, which would at least tell the attacker that the e-mail had been opened. This is exactly what should be avoided.
Finally, the fourth vulnerability, CVE-2022-36059, can be exploited to perform a Denial of Service (DoS) attack. The prerequisite is that the user is using the Matrix chat protocol and the attacker is in the same chat room.
Thunderbird 91.x is obsolete
Mozilla retired the Thunderbird 91.x version branch after the update to version 91.13.0 on August 23 and is not providing any further updates. If you are still working with this generation of the mail program, you should update to Thunderbird 102. Only for this new generation, Mozilla continues to provide security updates, new features and bug fixes.