9.EmailServers Atsign

Several significant vulnerabilities have been found in the widely used Thunderbird email client and Firefox web browser. An attacker could exploit these issues to cause a denial of service, obtain sensitive data, bypass security restrictions, perform cross-site tracing, execute arbitrary code, or escalate privileges on impacted systems.

What Are These Vulnerabilities & How Do They Impact Me?

ThunderbirdThe following security issues were discovered and fixed in Thunderbird and Firefox:

  • If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, perform cross-site tracing, or execute arbitrary code. (CVE-2023-6858)
  • Thunderbird did not properly parse a PGP/MIME payload that contains digitally signed text. An attacker could exploit this issue to spoof an email message. (CVE-2023-50762)
  • Thunderbird did not properly compare the signature creation date with the message date and time when using a digitally signed S/MIME email message. An attacker could exploit this issue to spoof the date and time of an email message. (CVE-2023-50761)
  • Thunderbird did not properly manage memory when used on systems with the Mesa VM driver. An attacker could exploit this issue to execute arbitrary code. (CVE-2023-6856)
  • Thunderbird did not properly validate the textures produced by remote decoders. An attacker could exploit this issue to escape the sandbox. (CVE-2023-6860)
  • FirefoxAn attacker could escalate privileges through devtools, enabling them to view additional infrastructure to attack, add or delete users, or modify permissions of files or other users. (CVE-2024-0751)
  • Bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 threaten memory safety (CVE-2024-0755).
  • Out-of-bounds memory read in networking channels. (CVE-2024-1546)
  • Alert dialog could have been spoofed on another site. (CVE-2024-1547)
  • Fullscreen Notification could have been hidden by a select element. (CVE-2024-1548)
  • Custom cursor could obscure the permission dialog. (CVE-2024-1549)
  • The mouse cursor re-positioned unexpectedly could have led to unintended permission grants. (CVE-2024-1550)
  • Multipart HTTP Responses would accept the Set-Cookie header in response parts. (CVE-2024-1551)
  • Incorrect code generation on 32-bit ARM devices. (CVE-2024-1552)
  • Memory safety bugs fixed in Firefox 123, Firefox ESR 115.8, and Thunderbird 115.8. (CVE-2024-1553)

Exploitation of these bugs could result in the compromise of sensitive information or loss of system availability.

How Can I Secure My Linux Systems?

Crucial updates for Thunderbird and Firefox have been released to fix these impactful vulnerabilities. Given these flaws’ severe threat to affected systems, if left unpatched, we strongly recommend all impacted users apply the updates released to protect against data theft and loss of system access.

To stay on top of essential updates released by the open-source programs and applications you use, register as a LinuxSecurity user, subscribe to our Linux Advisory Watch newsletter, and customize your advisories for your distro(s). This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.

Follow @LS_Advisories on X for real-time updates on advisories for your distro(s).