Stories
Slash Boxes
Comments

SoylentNews is people

Mozilla Patches Critical Bug in Thunderbird

posted by Fnord666 on Sunday December 31 2017, @06:27AM   Printer-friendly
from the another-day-another-patch dept.

mrpg writes:

https://threatpost.com/mozilla-patches-critical-bug-in-thunderbird/129244/

Mozilla issued a critical security update to its popular open-source Thunderbird email client. The patch was part of a December release of five fixes that included two bugs rated high and one rated moderate and another low.

Mozilla said Thunderbird, which is also serves as a news, RSS and chat client, the latest Thunderbird 52.5.2 version released last week fixes the vulnerabilities.

The most serious of the fixes is a critical buffer overflow bug (CVE-2017-7845) impacting Thunderbird running on the Windows operating system. The bug is present when "drawing and validating elements with angle library using Direct 3D 9," according to the Mozilla Foundation Security Advisory.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Mozilla Patches Critical Bug in Thunderbird | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Sunday December 31 2017, @03:46PM (1 child)

    by Anonymous Coward on Sunday December 31 2017, @03:46PM (#616142)

    Given that Thunderbird is also a feed reader, it oftentimes displays HTML content (for example, the full HTML contents of an article). The bug seems to concern WebGL content. Mozilla's WebGL implementation relies, at least in part, on DirectX in Windows (as described in the bug).

    I always thought that Thunderbird shared Firefox' rendering engine. Wouldn't that bug also affect Firefox?

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 3, Informative) by TheRaven on Sunday December 31 2017, @04:13PM

    by TheRaven (270) on Sunday December 31 2017, @04:13PM (#616147) Journal
    Firefox has very recently started doing what all of the other major web browsers have done for about a decade: splitting the browser into less privileged processes for isolation. On macOS, the WebKit framework does this for anything using WebKit, so when Mail.app renders an HTML email, the dangerous bits are run in a separate, sandboxed, process and just the final image appears in a texture. Thunderbird has been neglected by Mozilla for a while and doesn't do any of this kind of isolation, so the flaw is probably more dangerous in Thunderbird (where a compromise gets access to all of your emails, and all of your email account credentials) than Firefox (where, hopefully, it should only give access to the tab).
    --
    sudo mod me up