Operating System:

[WIN][UNIX/Linux]

Published:

23 September 2022

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2022.4707 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4707
     MFSA 2022-42 Security Vulnerabilities fixed in Thunderbird 102.3
                             23 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Mozilla Thunderbird
Publisher:         Mozilla
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-40962 CVE-2022-40960 CVE-2022-40959
                   CVE-2022-40958 CVE-2022-40957 CVE-2022-40956
                   CVE-2022-3155  

Original Bulletin: 
   https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/

Comment: CVSS (Max):  7.5 CVE-2022-40962 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Foundation Security Advisory 2022-42

Security Vulnerabilities fixed in Thunderbird 102.3

Announced: September 20, 2022
Impact:    high
Products:  Thunderbird
Fixed in:  Thunderbird 102.3

In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.

# CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages

Reporter: Armin Ebert
Impact:   high

Description

During iframe navigation, certain pages did not have their FeaturePolicy fully
initialized leading to a bypass that leaked device permissions into untrusted
subdocuments.

References

  o Bug 1782211

# CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads

Reporter: Armin Ebert
Impact:   high

Description

Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This
could lead to a use-after-free causing a potentially exploitable crash.

References

  o Bug 1787633

# CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host
and __Secure prefix

Reporter: Axel Chong (@Haxatron)
Impact:   moderate

Description

By injecting a cookie with certain special characters, an attacker on a shared
subdomain which is not a secure context could set and thus overwrite cookies
from a secure context, leading to session fixation and other attacks.

References

  o Bug 1779993

# CVE-2022-40956: Content-Security-Policy base-uri bypass

Reporter: Satoki Tsuji
Impact:   low

Description

When injecting an HTML base element, some requests would ignore the CSP's
base-uri settings and accept the injected element's base instead.

References

  o Bug 1770094

# CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64

Reporter: Gary Kwong
Impact:   low

Description

Inconsistent data in instruction and data cache when creating wasm code could
lead to a potentially exploitable crash.
This bug only affects Thunderbird on ARM64 platforms.

References

  o Bug 1777604

# CVE-2022-3155: Attachment files saved to disk on macOS could be executed
without warning

Reporter: Koh M. Nakagawa
Impact:   low

Description

When saving or opening an email attachment on macOS, Thunderbird did not set
attribute com.apple.quarantine on the received file. If the received file was
an application and the user attempted to open it, then the application was
started immediately without asking the user to confirm.

References

  o Bug 1789061

# CVE-2022-40962: Memory safety bugs fixed in Thunderbird 102.3

Reporter: Mozilla developers and community
Impact:   high

Description

Mozilla developers Nika Layzell, Timothy Nikkel, Jeff Muizelaar, Sebastian
Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety
bugs present in Thunderbird 102.2. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have been
exploited to run arbitrary code.

References

  o Memory safety bugs fixed in Thunderbird 102.3

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYy02vckNZI30y1K9AQi24Q/9GGzz3JNnpuoSWw+ip/gkFH7hCTdytiuk
qnlRYhwLrUzjf0BmrfgLrDJeg+MiC+RGiEkU5xAl7p33tPstu5YCE927goewGpaz
yBWy+UwGmtqlNMPR6V+ZnNsoMpocGJkILjbVfe1jKJ82wbP5pZFbzqhZp1xh948T
a6YtQ1EH87q4uiaE9TlbCG1znXXoI6BGqxqhV3IEQhcIdfqhXfx+iGU172LnI60v
iY3087eSQ9Sp1awoeLB+ATNE2+ws8oAdCRSWAwRKh6JvnS7/XeLC0vdyZ1Lh1FuC
OwbmnuA1mbLlTGI2C8aRDjmLUTusAsL403galPSvL2EYPH/cXhpg9qlNXTnsrbQe
yky9D1XltNUaNLkBQ0O3nWJcuatcPEbBziOPsJSRZ9+OW1+pb148S4xU7IypfdcU
CxnChI3gKufIi7zCBwqBA29OHRWk7qJHnukbZnzQ0GW5dyQrGG2Qxe0938mGlSTI
LlgpzQN3emXOUyQSePzSLAqgoYjONfGUZ5D61Y0J74QLGiyg9DVdvK3K+i5ubb++
klOfRyfZG7roVJM0g6NbeBBqL1HcfqsXERLT+6wCIvfDl7D+403RvWSd4F/PiUcu
v8qO39lQQFZt/LEcjJsfd5Qx7aX50o7hfs9XBPZNWqosrfXzPtr5tRbE4tYvt6HE
BFDLOkj0CEQ=
=zF4J
-----END PGP SIGNATURE-----