Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1006 MFSA 2022-12 Security Vulnerabilities fixed in Thunderbird 91.7 10 March 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Thunderbird Publisher: Mozilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-26387 CVE-2022-26386 CVE-2022-26384 CVE-2022-26383 CVE-2022-26381 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2022-12/ Comment: CVSS (Max): 7.5 CVE-2022-26387 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2022-12 Security Vulnerabilities fixed in Thunderbird 91.7 Announced: March 8, 2022 Impact: high Products: Thunderbird Fixed in: Thunderbird 91.7 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. # CVE-2022-26383: Browser window spoof using fullscreen mode Reporter: Irvan Kurniawan Impact: high Description When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. References o Bug 1742421 # CVE-2022-26384: iframe allow-scripts sandbox bypass Reporter: Ed McManus Impact: high Description If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. References o Bug 1744352 # CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures Reporter: Armin Ebert Impact: high Description When installing an add-on, Thunderbird verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Thunderbird would not have noticed. References o Bug 1752979 # CVE-2022-26381: Use-after-free in text reflows Reporter: Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative Impact: high Description An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. References o Bug 1736243 # CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users Reporter: attila Impact: low Description Previously Thunderbird for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. This bug only affects Thunderbird for macOS and Linux. Other operating systems are unaffected. References o Bug 1752396 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYil1A+NLKJtyKPYoAQiXTxAAmj4z7+1y7HWJmkGuVk14kP40SMdqQmjW fbdXbduO3ziO46sAy21PmLtAc77u0SfZnncn+O7qwTma5uV55GGw05rTiDJwI4Ch xo+RYVTgaW68UKRyU38JhSW9thGP+DRuHD0fy4AnAefSYqZUvPfyQXS6W5MuI/Lf IJNzY4BfXpWXp6UCcnb7Gsm1kwcCM2rQwB7//pAERsIMOQwaqj2b4SJhGBMkOb2v ED6dM6VUxDj9zLp5QIpJ7ICWP26PIZvgsOdoUEv8Sns8g0NHgBc1BUGv4FiDRZwK c+xNIU1XVzGHrIY9NiflhBcq2xSEsaCJNZjkietXMoqOoVbY5FDKO9fkn1oZJDEw LmhC0QXN88xrbubEUVng7b0+ECf0c0IcxOpZYTSSTz5NtNcm3KjdVMIFQY0k4PHe ++JyhwJKSVQURhIEhsYOVUXpO1dPfMUvfwIkek8O9oHwAV2fGoeWpVjH3dV9ICnV zkxBScNhAXiaMZ3wQKNEi7PkRPm6eM9vpPp+fhhU53DgxllewsmUzaCDTiyqTgZp ZNy9GmgsupnAgcKHM3033Ielibu2aWAaBJEeK36EUfsRCtWaZkd1WOBrAsOerYPv 4lzE5sF+qFX/FCwGzSpTdskIX3JY7SNePRxzGYhAQGKbqr02Z6KOMq+5Ghp+SD1m 9Lq5cwS/+zc= =Cf6R -----END PGP SIGNATURE-----