Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

    MFSA 2022-39 Security Vulnerabilities fixed in Thunderbird 91.13.1
                             20 September 2022


        AusCERT Security Bulletin Summary

Product:           Thunderbird
Publisher:         Mozilla
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-3034 CVE-2022-3033 CVE-2022-3032

Original Bulletin: 

Comment: CVSS (Max):  7.5 CVE-2022-3033 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2022-39

Security Vulnerabilities fixed in Thunderbird 91.13.1

Announced: September 19, 2022
Impact:    high
Products:  Thunderbird
Fixed in:  Thunderbird 91.13.1

# CVE-2022-3033: Leaking of sensitive information when composing a response to
an HTML email with a META refresh tag

Reporter: Sarah Jamie Lewis
Impact:   high


If a Thunderbird user replied to a crafted HTML email containing a meta tag,
with the meta tag having the http-equiv="refresh" attribute, and the content
attribute specifying an URL, then Thunderbird started a network request to that
URL, regardless of the configuration to block remote content. In combination
with certain other HTML elements and attributes in the email, it was possible
to execute JavaScript code included in the message in the context of the
message compose document. The JavaScript code was able to perform actions
including, but probably not limited to, read and modify the contents of the
message compose document, including the quoted original message, which could
potentially contain the decrypted plaintext of encrypted data in the crafted
email. The contents could then be transmitted to the network, either to the URL
specified in the META refresh tag, or to a different URL, as the JavaScript
code could modify the URL specified in the document. This bug doesn't affect
users who have changed the default Message Body display setting to 'simple
html' or 'plain text'.


  o Bug 1784838

# CVE-2022-3032: Remote content specified in an HTML document that was nested
inside an iframe's srcdoc attribute was not blocked

Reporter: Sarah Jamie Lewis
Impact:   moderate


When receiving an HTML email that contained an iframe element, which used a
srcdoc attribute to define the inner HTML document, remote objects specified in
the nested document, for example images or videos, were not blocked. Rather,
the network was accessed, the objects were loaded and displayed.


  o Bug 1783831

# CVE-2022-3034: An iframe element in an HTML email could trigger a network

Reporter: Thunderbird Team
Impact:   moderate


When receiving an HTML email that specified to load an iframe element from a
remote location, a request to the remote document was sent. However,
Thunderbird didn't display the document.


  o Bug 1745751

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: https://auscert.org.au/gpg-key/