Endpoint

12/28/2017
01:30 PM
50%
50%

Mozilla Issues Critical Security Patch for Thunderbird Flaw

Mozilla released five patches for Thunderbird security vulnerabilities, including one critical buffer overflow bug affecting Windows machines.

Mozilla this week fixed a severe security problem in its open-source Thunderbird email client, which also serves as a client for news, RSS, and chat. The most critical flaw (CVE-2017-7845) is a buffer overflow bug affecting Thunderbird running on the Windows OS.

"A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content," Mozilla wrote. "This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash." The same bug was fixed in the Firefox browser earlier in December.

The critical patch was one of five security bugs Mozilla fixed this month. Others include two vulnerabilities rated high, one moderate, and one low. Both of the highly rated security flaws affected the RSS feed. The moderate and low bugs affected RSS and email, respectively.

The latest version of Thunderbird, 52.5.2, fixes all of the flaws. Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
12/29/2017 | 7:55:52 AM
Discovery vs. Patch Release time
From the discovery of this vulnerability in early December to the time the patch was released was only a matter of a couple of weeks which is a pat on the back for the provider, Mozilla. If businesses follow best practice guidelines, this critical vulnerability would have been patching during standard patching.
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Ticketmaster Breach Part of Massive Payment Card Hacking Campaign
Jai Vijayan, Freelance writer,  7/10/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Cyberspace is much less secure than my old lamp.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6681
PUBLISHED: 2018-07-17
Abuse of Functionality vulnerability in the web interface in McAfee Network Security Management (NSM) 9.1.7.11 and earlier allows authenticated users to allow arbitrary HTML code to be reflected in the response web page via appliance web interface.
CVE-2018-13864
PUBLISHED: 2018-07-17
A directory traversal vulnerability has been found in the Assets controller in Play Framework 2.6.12 through 2.6.15 (fixed in 2.6.16) when running on Windows. It allows a remote attacker to download arbitrary files from the target server via specially crafted HTTP requests.
CVE-2018-14338
PUBLISHED: 2018-07-17
samples/geotag.cpp in the example code of Exiv2 0.26 misuses the realpath function on POSIX platforms (other than Apple platforms) where glibc is not used, possibly leading to a buffer overflow.
CVE-2018-14337
PUBLISHED: 2018-07-17
The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length.
CVE-2018-14329
PUBLISHED: 2018-07-17
In HTSlib 1.8, a race condition in cram/cram_io.c might allow local users to overwrite arbitrary files via a symlink attack.