Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4645 MFSA 2022-39 Security Vulnerabilities fixed in Thunderbird 91.13.1 20 September 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Thunderbird Publisher: Mozilla Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-3034 CVE-2022-3033 CVE-2022-3032 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2022-39/ Comment: CVSS (Max): 7.5 CVE-2022-3033 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2022-39 Security Vulnerabilities fixed in Thunderbird 91.13.1 Announced: September 19, 2022 Impact: high Products: Thunderbird Fixed in: Thunderbird 91.13.1 # CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag Reporter: Sarah Jamie Lewis Impact: high Description If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv="refresh" attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. The JavaScript code was able to perform actions including, but probably not limited to, read and modify the contents of the message compose document, including the quoted original message, which could potentially contain the decrypted plaintext of encrypted data in the crafted email. The contents could then be transmitted to the network, either to the URL specified in the META refresh tag, or to a different URL, as the JavaScript code could modify the URL specified in the document. This bug doesn't affect users who have changed the default Message Body display setting to 'simple html' or 'plain text'. References o Bug 1784838 # CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked Reporter: Sarah Jamie Lewis Impact: moderate Description When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. References o Bug 1783831 # CVE-2022-3034: An iframe element in an HTML email could trigger a network request Reporter: Thunderbird Team Impact: moderate Description When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. References o Bug 1745751 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYyko5MkNZI30y1K9AQgWbA/+KsnnlTveEl4T45NhFnBpFSs+rWuANVCF iHc84K2/bycvxxR8OUcjItoHJYMIpU9ESz5tOBMpAkr++rNjKfzW6VM0myuL1dT9 a0pRbe5TIrBtYXgv8beBF5T05Uz3xb3BKwY4LnFll0FEyPR/FMK2IwTjkrzyB4yC Cv8DHNFa92LmsvtTf9uAH3VomXbaOD3zSUXHQlQK73CN+rHkcqP45RHgo7c034CR HldUzKhRVl7OSAeD4vkVyIFQwqhpVYyPkgps0MnKiBeeMVPE8245pjZfYq+isEcA 5/zelqLXihHXezH5++93l8YBpHsIblmmcqwoqsQE2zB7e60y92l8Pqi93npgvPIO N2iGPk7JbMuydZ87Wnu5V3Xg4UZ3gdokjMakSmaow32B1iqVYglHS5Iq8cq1ANJS a6l6b2wxbExd+EMGYKjPDgqE5A8kK6wrWAnCv/SPg42g1VNuW18eCIwyzlFEYkC7 aphFGZcMcmVEmXfnK7ETNNAtJNf5rev5llmONTEgJfJdcKCCSmtZC1LURhclpO6v xfI1AuSH+0pKiLTdxoAC41mwDvMALOSbQi2A8+A/u+6QCWBzoA7xDpP5hQR3nmnE TPMHWKbbX7VDWRCZdDimXoNWq7IdJdVkHPUD4viIEu8RZbl8iY+awWXSlce7dE1a lNPEIu2UzcU= =ftcV -----END PGP SIGNATURE-----