もっと詳しく

Thunderbird 102.2.1 is now available. The new version of the open source email client fixes several security issues in Thunderbird and includes other changes.

thunderbird 102
image credit: Thunderbird

The security update addresses several vulnerabilities that may overcome the built-in remote content blocking mechanism.

Thunderbird 102.2.1 is already available as an in-client update and as a separate download from the official project website. Existing users may select Help > About Thunderbird to display the current version. The program runs an automatic check for updates at this point to download and install any new version that is found during the check.

Thunderbird 102.2.1

thunderbird 102.2.1

The official security advisories page lists four different security issues that are patched in the new email client version. One issues is rated high, the other three are rated moderate.

  • CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
  • CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe’s srcdoc attribute was not blocked
  • CVE-2022-3034: An iframe element in an HTML email could trigger a network request
  • CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack

The security issue rated high addresses the following issue. Emails that contain a meta tag with the http-equiv=”refresh” and content attribute specifying an URL, could bypass the remote content block of the email client when a user replied to these emails.

The attacker could abuse it to run JavaScript code in “the context of the message compose document”, which allowed the threat actor to read and modify the content of the message compose document; this could include the decrypted content of an encrypted message, and this data could be transferred to another server.

Two of the three remaining vulnerabilities address remote content blocking bypass issues as well. The second vulnerability loaded remote objects in an HTML email that contained an iframe element and used a srcdoc attribute to define the inner HTML document. Remote content, such as images or videos, could be loaded that way from remote locations.

The third addresses an issue with HTML emails that specified to load an iframe from a remote location. The request was sent but Thunderbird never displayed the document.

The fourth vulnerability corrects an issue in the Matrix chat protocol, which could make Thunderbird vulnerable to denial of service attacks.

Other changes

The official release notes lists several non-security improvements and fixes in the email client. The only new feature in Thunderbird 102.2.1 is the -calendar startup parameter to load the Calendar on start of the email client.

The only change displays a button now during account setup to connect automatically discovered address books and calendars.

More than a dozen fixes are listed. They address a whole range of issues, including Pop email retrieval issues after network errors and recoveries, issues when exporting a profile, or issues when updating mail quota colors.

Now you: Thunderbird 102, still the previous version, or something else entirely for emails?

Thank you for being a Ghacks reader. The post Thunderbird 102.2.1 launches with important security fixes appeared first on gHacks Technology News.