Stories
Slash Boxes
Comments

SoylentNews is people

Mozilla Patches Critical Bug in Thunderbird

posted by Fnord666 on Sunday December 31 2017, @06:27AM   Printer-friendly
from the another-day-another-patch dept.

mrpg writes:

https://threatpost.com/mozilla-patches-critical-bug-in-thunderbird/129244/

Mozilla issued a critical security update to its popular open-source Thunderbird email client. The patch was part of a December release of five fixes that included two bugs rated high and one rated moderate and another low.

Mozilla said Thunderbird, which is also serves as a news, RSS and chat client, the latest Thunderbird 52.5.2 version released last week fixes the vulnerabilities.

The most serious of the fixes is a critical buffer overflow bug (CVE-2017-7845) impacting Thunderbird running on the Windows operating system. The bug is present when "drawing and validating elements with angle library using Direct 3D 9," according to the Mozilla Foundation Security Advisory.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Mozilla Patches Critical Bug in Thunderbird | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by J_Darnley on Sunday December 31 2017, @01:32PM (4 children)

    by J_Darnley (5679) on Sunday December 31 2017, @01:32PM (#616134)

    What the heck is an email client doing using a 3D rendering library?

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 4, Funny) by maxwell demon on Sunday December 31 2017, @01:48PM

    by maxwell demon (1608) on Sunday December 31 2017, @01:48PM (#616136) Journal

    It allows you to see your emails from a different perspective. ;-)

    --
    The Tao of math: The numbers you can count are not the real numbers.

  • (Score: 1, Informative) by Anonymous Coward on Sunday December 31 2017, @03:46PM (1 child)

    by Anonymous Coward on Sunday December 31 2017, @03:46PM (#616142)

    Given that Thunderbird is also a feed reader, it oftentimes displays HTML content (for example, the full HTML contents of an article). The bug seems to concern WebGL content. Mozilla's WebGL implementation relies, at least in part, on DirectX in Windows (as described in the bug).

    I always thought that Thunderbird shared Firefox' rendering engine. Wouldn't that bug also affect Firefox?

    • (Score: 3, Informative) by TheRaven on Sunday December 31 2017, @04:13PM

      by TheRaven (270) on Sunday December 31 2017, @04:13PM (#616147) Journal
      Firefox has very recently started doing what all of the other major web browsers have done for about a decade: splitting the browser into less privileged processes for isolation. On macOS, the WebKit framework does this for anything using WebKit, so when Mail.app renders an HTML email, the dangerous bits are run in a separate, sandboxed, process and just the final image appears in a texture. Thunderbird has been neglected by Mozilla for a while and doesn't do any of this kind of isolation, so the flaw is probably more dangerous in Thunderbird (where a compromise gets access to all of your emails, and all of your email account credentials) than Firefox (where, hopefully, it should only give access to the tab).
      --
      sudo mod me up

  • (Score: 2) by tekk on Sunday December 31 2017, @08:18PM

    by tekk (5704) Subscriber Badge on Sunday December 31 2017, @08:18PM (#616197)

    DirectX is how you draw on windows. They deprecated GDI and the other methods iirc, so if you want to put pixels on the screen it's DX or OpenGL.