6.EmailConnection Touch

Multiple high-impact security issues have been discovered in Thunderbird, which could result in denial of service (DoS) attacks leading to server crashes and loss of access, the execution of arbitrary code, or spoofing attacks. These findings include a vulnerability involving the incorrect code generation during JIT compilation (CVE-2023-25751), and high-severity memory safety bugs present in Thunderbird 102.8 (CVE-2023-28176).

Thunderbird 102.9.0 has been released as a security and bug fix update and the latest stable version of the open source email client. This article will cover the vulnerabilities recently found in Thunderbird and fixed in version 102.9.0 to equip you with the information you need to protect against potential downtime and system compromise that could result from the exploitation of these bugs.

Thunderbird 102.9.0 Security Fixes

Thunderbird 102.9.0 fixes six security issues in the email program with severity ratings of high and moderate, and an aggregated severity rating of high. The vulnerabilities addressed in version 102.9.0 include:

  • CVE-2023-25751: Incorrect code generation during JIT compilation could lead to a potentially exploitable crash (high severity rating)
  • CVE-2023-28164: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation, potentially leading to user confusion and website spoofing attacks (moderate severity rating)Thunderbird
  • CVE-2023-28162: Invalid downcast in Worklets could lead to a potentially exploitable crash (moderate severity rating)
  • CVE-2023-25752: Potential out-of-bounds when accessing throttled streams may have lead future code to be incorrect and vulnerable (moderate severity rating)
  • CVE-2023-28163: Windows Save As dialog resolved environment variables in the context of the current user (moderate severity rating)
  • CVE-2023-28176: Memory safety bugs present in Thunderbird 102.8 showed evidence of memory corruption and could potentially be exploited to run arbitrary code (high severity rating)

The release also includes the following non-security fixes:

  • Notification about a sender's changed OpenPGP key was not immediately visible
  • TLS Certificate Override dialog did not appear when retrieving messages via IMAP using "Get Messages" context menu
  • Spellcheck dictionaries were missing from localized Thunderbird builds that should have included them
  • Tooltips for "Show/Hide" calendar toggle did not display

Upgrade to Thunderbird 102.9.0 Now!

In order to protect against dangerous exploits, it is critical that all impacted users upgrade immediately. Existing Thunderbird installations should receive the update automatically, as long as the automatic updates functionality has not been disabled by the administrator.

For users who prefer to update manually, this can be done by selecting Help > About Thunderbird, or by selecting the Settings icon in the new sidebar on the left. Thunderbird displays the installed version in a small overlay window in the interface. The email client performs an update check and will download and install updates that it finds during the check.

To stay on top of important updates released by the open-source programs and applications you use, be sure to register as a LinuxSecurity user, then subscribe to our Linux Advisory Watch newsletter and customize your advisories for the distro(s) you use. This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.

Follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s).