Mozilla has patched numerous security vulnerabilities with the release of Thunderbird version 60.2.1. There was a total of seven vulnerabilities and one of them were considered as Critical as it was related to memory corruption and if exploited it could potentially lead to remote code execution. The remaining vulnerabilities were labelled as 2 high, 3 moderate, and 1 as low.
CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 labelled as critical
Some of them showed proof of memory corruption and with some struggle they could be exploited to run arbitrary code.
CVE-2018-12377: Use-after-free in refresh driver timers labelled as high
A use-after-free vulnerability can occur when refresh driver timers are refreshed in certain circumstances during shutdown when the timer is deleted while still in use and this could result in an exploitable crash.
CVE-2018-12378: Use-after-free in IndexedDB labelled as high
The vulnerabilities labelled as moderate include
CVE-2018-12379: Out-of-bounds write with malicious MAR file
CVE-2017-16541: Proxy bypass using automount and autofs
CVE-2018-12385: Crash in TransportSecurityInfo due to cached data
These bugs resulted in crashing of the Thunderbird and the bug which was rated as low is dubbed as “CVE-2018-12383”. After the Firefox 58, when a master password is set, it does not delete unencrypted previously stored passwords and a copy of these are easily accessible. The new master password is added only on the new file. As per the security advisory, this CVE-2018-12383 vulnerability permits the users an easy access to unencrypted passwords.
Mozilla Thunderbird users are highly recommended to upgrade to the latest version.