Operating System:

[WIN][UNIX/Linux]

Published:

20 September 2022

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2022.4645 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4645
    MFSA 2022-39 Security Vulnerabilities fixed in Thunderbird 91.13.1
                             20 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Thunderbird
Publisher:         Mozilla
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-3034 CVE-2022-3033 CVE-2022-3032

Original Bulletin: 
   https://www.mozilla.org/en-US/security/advisories/mfsa2022-39/

Comment: CVSS (Max):  7.5 CVE-2022-3033 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2022-39

Security Vulnerabilities fixed in Thunderbird 91.13.1

Announced: September 19, 2022
Impact:    high
Products:  Thunderbird
Fixed in:  Thunderbird 91.13.1

# CVE-2022-3033: Leaking of sensitive information when composing a response to
an HTML email with a META refresh tag

Reporter: Sarah Jamie Lewis
Impact:   high

Description

If a Thunderbird user replied to a crafted HTML email containing a meta tag,
with the meta tag having the http-equiv="refresh" attribute, and the content
attribute specifying an URL, then Thunderbird started a network request to that
URL, regardless of the configuration to block remote content. In combination
with certain other HTML elements and attributes in the email, it was possible
to execute JavaScript code included in the message in the context of the
message compose document. The JavaScript code was able to perform actions
including, but probably not limited to, read and modify the contents of the
message compose document, including the quoted original message, which could
potentially contain the decrypted plaintext of encrypted data in the crafted
email. The contents could then be transmitted to the network, either to the URL
specified in the META refresh tag, or to a different URL, as the JavaScript
code could modify the URL specified in the document. This bug doesn't affect
users who have changed the default Message Body display setting to 'simple
html' or 'plain text'.

References

  o Bug 1784838

# CVE-2022-3032: Remote content specified in an HTML document that was nested
inside an iframe's srcdoc attribute was not blocked

Reporter: Sarah Jamie Lewis
Impact:   moderate

Description

When receiving an HTML email that contained an iframe element, which used a
srcdoc attribute to define the inner HTML document, remote objects specified in
the nested document, for example images or videos, were not blocked. Rather,
the network was accessed, the objects were loaded and displayed.

References

  o Bug 1783831

# CVE-2022-3034: An iframe element in an HTML email could trigger a network
request

Reporter: Thunderbird Team
Impact:   moderate

Description

When receiving an HTML email that specified to load an iframe element from a
remote location, a request to the remote document was sent. However,
Thunderbird didn't display the document.

References

  o Bug 1745751

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYyko5MkNZI30y1K9AQgWbA/+KsnnlTveEl4T45NhFnBpFSs+rWuANVCF
iHc84K2/bycvxxR8OUcjItoHJYMIpU9ESz5tOBMpAkr++rNjKfzW6VM0myuL1dT9
a0pRbe5TIrBtYXgv8beBF5T05Uz3xb3BKwY4LnFll0FEyPR/FMK2IwTjkrzyB4yC
Cv8DHNFa92LmsvtTf9uAH3VomXbaOD3zSUXHQlQK73CN+rHkcqP45RHgo7c034CR
HldUzKhRVl7OSAeD4vkVyIFQwqhpVYyPkgps0MnKiBeeMVPE8245pjZfYq+isEcA
5/zelqLXihHXezH5++93l8YBpHsIblmmcqwoqsQE2zB7e60y92l8Pqi93npgvPIO
N2iGPk7JbMuydZ87Wnu5V3Xg4UZ3gdokjMakSmaow32B1iqVYglHS5Iq8cq1ANJS
a6l6b2wxbExd+EMGYKjPDgqE5A8kK6wrWAnCv/SPg42g1VNuW18eCIwyzlFEYkC7
aphFGZcMcmVEmXfnK7ETNNAtJNf5rev5llmONTEgJfJdcKCCSmtZC1LURhclpO6v
xfI1AuSH+0pKiLTdxoAC41mwDvMALOSbQi2A8+A/u+6QCWBzoA7xDpP5hQR3nmnE
TPMHWKbbX7VDWRCZdDimXoNWq7IdJdVkHPUD4viIEu8RZbl8iY+awWXSlce7dE1a
lNPEIu2UzcU=
=ftcV
-----END PGP SIGNATURE-----