Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1006
MFSA 2022-12 Security Vulnerabilities fixed in Thunderbird 91.7
10 March 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Thunderbird
Publisher: Mozilla
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-26387 CVE-2022-26386 CVE-2022-26384
CVE-2022-26383 CVE-2022-26381
Original Bulletin:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-12/
Comment: CVSS (Max): 7.5 CVE-2022-26387 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2022-12
Security Vulnerabilities fixed in Thunderbird 91.7
Announced: March 8, 2022
Impact: high
Products: Thunderbird
Fixed in: Thunderbird 91.7
In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
# CVE-2022-26383: Browser window spoof using fullscreen mode
Reporter: Irvan Kurniawan
Impact: high
Description
When resizing a popup after requesting fullscreen access, the popup would not
display the fullscreen notification.
References
o Bug 1742421
# CVE-2022-26384: iframe allow-scripts sandbox bypass
Reporter: Ed McManus
Impact: high
Description
If an attacker could control the contents of an iframe sandboxed with
allow-popups but not allow-scripts, they were able to craft a link that, when
clicked, would lead to JavaScript execution in violation of the sandbox.
References
o Bug 1744352
# CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures
Reporter: Armin Ebert
Impact: high
Description
When installing an add-on, Thunderbird verified the signature before prompting
the user; but while the user was confirming the prompt, the underlying add-on
file could have been modified and Thunderbird would not have noticed.
References
o Bug 1752979
# CVE-2022-26381: Use-after-free in text reflows
Reporter: Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative
Impact: high
Description
An attacker could have caused a use-after-free by forcing a text reflow in an
SVG object leading to a potentially exploitable crash.
References
o Bug 1736243
# CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other
local users
Reporter: attila
Impact: low
Description
Previously Thunderbird for macOS and Linux would download temporary files to a
user-specific directory in /tmp, but this behavior was changed to download them
to /tmp where they could be affected by other local users. This behavior was
reverted to the original, user-specific directory.
This bug only affects Thunderbird for macOS and Linux. Other operating systems
are unaffected.
References
o Bug 1752396
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYil1A+NLKJtyKPYoAQiXTxAAmj4z7+1y7HWJmkGuVk14kP40SMdqQmjW
fbdXbduO3ziO46sAy21PmLtAc77u0SfZnncn+O7qwTma5uV55GGw05rTiDJwI4Ch
xo+RYVTgaW68UKRyU38JhSW9thGP+DRuHD0fy4AnAefSYqZUvPfyQXS6W5MuI/Lf
IJNzY4BfXpWXp6UCcnb7Gsm1kwcCM2rQwB7//pAERsIMOQwaqj2b4SJhGBMkOb2v
ED6dM6VUxDj9zLp5QIpJ7ICWP26PIZvgsOdoUEv8Sns8g0NHgBc1BUGv4FiDRZwK
c+xNIU1XVzGHrIY9NiflhBcq2xSEsaCJNZjkietXMoqOoVbY5FDKO9fkn1oZJDEw
LmhC0QXN88xrbubEUVng7b0+ECf0c0IcxOpZYTSSTz5NtNcm3KjdVMIFQY0k4PHe
++JyhwJKSVQURhIEhsYOVUXpO1dPfMUvfwIkek8O9oHwAV2fGoeWpVjH3dV9ICnV
zkxBScNhAXiaMZ3wQKNEi7PkRPm6eM9vpPp+fhhU53DgxllewsmUzaCDTiyqTgZp
ZNy9GmgsupnAgcKHM3033Ielibu2aWAaBJEeK36EUfsRCtWaZkd1WOBrAsOerYPv
4lzE5sF+qFX/FCwGzSpTdskIX3JY7SNePRxzGYhAQGKbqr02Z6KOMq+5Ghp+SD1m
9Lq5cwS/+zc=
=Cf6R
-----END PGP SIGNATURE-----