-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Multiple vulnerabilities have been identified in Mozilla Thunderbird ESR
1 November 2018
AusCERT Security Bulletin Summary
Product: Mozilla Thunderbird
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
CVE Names: CVE-2018-12393 CVE-2018-12392 CVE-2018-12391
Member content until: Saturday, December 1 2018
Multiple vulnerabilities have been identified in Mozilla Thunderbird
ESR prior to version 60.3. 
Mozilla have provided the following details regarding the
"#CVE-2018-12391: HTTP Live Stream audio data is accessible
During HTTP Live Stream playback on Firefox for Android, audio data
can be accessed across origins in violation of security policies.
Because the problem is in the underlying Android service, this issue
is addressed by treating all HLS streams as cross-origin and opaque
Note: this issue only affects Firefox for Android. Desktop versions
of Firefox are unaffected.
#CVE-2018-12392: Crash with nested event loops
When manipulating user events in nested loops while opening a
document through script, it is possible to trigger a potentially
exploitable crash due to poor event handling.
#CVE-2018-12393: Integer overflow during Unicode conversion while
A potential vulnerability was found in 32-bit builds where an
integer overflow during the conversion of scripts to an internal
UTF-16 representation could result in allocating a buffer too small
for the conversion. This leads to a possible out-of-bounds write.
Note: 64-bit builds are not vulnerable to this issue.
#CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 and
Mozilla developers and community
Mozilla developers and community members Daniel Veditz and Philipp
reported memory safety bugs present in Firefox ESR 60.2. Some of
these bugs showed evidence of memory corruption and we presume that
with enough effort that some of these could be exploited to run
Memory safety bugs fixed in Firefox ESR 60.3 and Thunderbird 60.3
#CVE-2018-12390: Memory safety bugs fixed in Firefox 63, Firefox ESR
60.3, and Thunderbird 60.3
Mozilla developers and community
Mozilla developers and community members Christian Holler, Bob Owen,
Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon
Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith,
Raymond Forbes, and Bogdan Tara reported memory safety bugs present
in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary code.
Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3, and
Thunderbird 60.3" 
Mozilla recommends user upgrade to the latest version to address
these issues. 
 Mozilla Foundation Security Advisory 2018-28
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----