Hash: SHA256

                         AUSCERT Security Bulletin

        Mozilla Thunderbird 60.9 and 68.1 contain 7 security fixes
                             16 September 2019


        AusCERT Security Bulletin Summary

Product:              Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-11752 CVE-2019-11746 CVE-2019-11744
                      CVE-2019-11743 CVE-2019-11742 CVE-2019-11740
Member content until: Wednesday, October 16 2019
Reference:            ASB-2019.0252


        Security updates for Mozilla Thunderbird have been released as
        versions 60.9 and 68.1, addressing seven vulnerabilities and
        rated by Mozilla as priority "high". [1] [2]


        Mozilla has provided the following information:
        "# CVE-2019-11739: Covert Content Attack on S/MIME encryption using a crafted
        multipart/alternative message
        Encrypted S/MIME parts in a crafted multipart/alternative message can leak
        plaintext when included in a a HTML reply/forward.
        # CVE-2019-11746: Use-after-free while manipulating video
        A use-after-free vulnerability can occur while manipulating video elements if
        the body is freed while still in use. This results in a potentially exploitable
        # CVE-2019-11744: XSS by breaking out of title and textarea elements using
        Some HTML elements, such as <title> and <textarea>, can contain literal angle
        brackets without treating them as markup. It is possible to pass a literal
        closing tag to .innerHTML on these elements, and subsequent content after that
        will be parsed as if it were outside the tag. This can lead to XSS if a site
        does not filter user input as strictly for these elements as it does for other
        # CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to
        steal cross-origin images
        A same-origin policy violation occurs allowing the theft of cross-origin images
        through a combination of SVG filters and a <canvas> element due to an error in
        how same-origin policy is applied to cached image content. The resulting
        same-origin policy violation could allow for data theft.
        # CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
        It is possible to delete an IndexedDB key value and subsequently try to extract
        it during conversion. This results in a use-after-free and a potentially
        exploitable crash.
        # CVE-2019-11743: Cross-origin access to unload event attributes
        Navigation events were not fully adhering to the W3C's "Navigation-Timing Level
        2" draft specification in some instances for the unload event, which restricts
        access to detailed timing attributes to only be same-origin. This resulted in
        potential cross-origin information exposure of history through timing
        side-channel attacks.
        # CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1,
        Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
        Mozilla developers and community members Tyson Smith and Nathan Froyd reported
        memory safety bugs present in Firefox 68, Firefox ESR 68, Firefox 60.8,
        Thunderbird 68, and Thunderbird 60.8. Some of these bugs showed evidence of
        memory corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code." [1] [2]
        Mozilla also notes that:
        "In general, these flaws cannot be exploited through email in the Thunderbird
        product because scripting is disabled when reading mail, but are potentially
        risks in browser or browser-like contexts." [1][2]


        Mozilla advises updating to Thunderbird version 60.9 or 68.1
        to address these vulnerabilities. [1][2]


        [1] Security vulnerabilities fixed in - Thunderbird 60.9

        [2] Security vulnerabilities fixed in - Thunderbird 68.1

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967