Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0119 Security vulnerabilities fixed in Thunderbird 52.8 21 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-5185 CVE-2018-5184 CVE-2018-5183 CVE-2018-5178 CVE-2018-5174 CVE-2018-5170 CVE-2018-5168 CVE-2018-5162 CVE-2018-5161 CVE-2018-5159 CVE-2018-5155 CVE-2018-5154 CVE-2018-5150 Member content until: Wednesday, June 20 2018 Reference: ASB-2018.0110 ASB-2018.0109 ESB-2018.1460 ESB-2018.1442 OVERVIEW Multiple security vulnerabilities have been identified in Mozilla Thunderbird prior to version 52.8. [1] IMPACT The vendor has provided the following details regarding the vulnerabilities: "In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. CVE-2018-5183: Backport critical security fixes in Skia Reporter Mozilla Developers Impact critical Description Mozilla developers backported selected changes in the Skia library. These changes correct memory corruption issues including invalid buffer reads and writes during graphic operations. References * Bug 1454692 CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack Reporter Damian Poddebniak, Christian Dresen, Jens M?ller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, J?rg Schwenk Impact high Description Using remote content in encrypted messages can lead to the disclosure of plaintext. References * Bug 1411592 CVE-2018-5154: Use-after-free with SVG animations and clip paths Reporter Nils Impact high Description A use-after-free vulnerability can occur while enumerating attributes during SVG animations with clip paths. This results in a potentially exploitable crash. References * Bug 1443092 CVE-2018-5155: Use-after-free with SVG animations and text paths Reporter Nils Impact high Description A use-after-free vulnerability can occur while adjusting layout during SVG animations with text paths. This results in a potentially exploitable crash. References * Bug 1448774 CVE-2018-5159: Integer overflow and out-of-bounds write in Skia Reporter Ivan Fratric Impact high Description An integer overflow can occur in the Skia library due to 32-bit integer use in an array without integer overflow checks, resulting in possible out-of-bounds writes. This could lead to a potentially exploitable crash triggerable by web content. References * Bug 1441941 CVE-2018-5161: Hang via malformed headers Reporter cure53 Impact moderate Description Crafted message headers can cause a Thunderbird process to hang on receiving the message. References * Bug 1411720 CVE-2018-5162: Encrypted mail leaks plaintext through src attribute Reporter Damian Poddebniak, Christian Dresen, Jens M?ller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, J?rg Schwenk Impact moderate Description Plaintext of decrypted emails can leak through the src attribute of remote images, or links. References * Bug 1457721 CVE-2018-5170: Filename spoofing for external attachments Reporter cure53 Impact moderate Description It is possible to spoof the filename of an attachment and display an arbitrary attachment name. This could lead to a user opening a remote attachment which is a different file type than expected. References * Bug 1411732 CVE-2018-5168: Lightweight themes can be installed without user interaction Reporter Wladimir Palant Impact moderate Description Sites can bypass security checks on permissions to install lightweight themes by manipulating the baseURI property of the theme element. This could allow a malicious site to install a theme without user interaction which could contain offensive or embarrassing images. References * Bug 1449548 CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update Reporter Jimmy Impact moderate Description In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the SEE_MASK_FLAG_NO_UI flag associated with downloaded files and will not show any UI. Files that are unknown and potentially dangerous will be allowed to run because SmartScreen will not prompt the user for a decision, and if the user is offline all files will be allowed to be opened because Windows won?t prompt the user to ask what to do. Firefox incorrectly sets this flag when downloading files, leading to less secure behavior from SmartScreen. Note: this issue only affects Windows 10 users running the April 2018 update or later. It does not affect other Windows users or other operating systems. References * Bug 1447080 CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension Reporter Root Object Impact moderate Description A buffer overflow was found during UTF8 to Unicode string conversion within JavaScript with extremely large amounts of data. This vulnerability requires the use of a malicious or vulnerable legacy extension in order to occur. References * Bug 1443891 CVE-2018-5185: Leaking plaintext through HTML forms Reporter Damian Poddebniak, Christian Dresen, Jens M?ller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, J?rg Schwenk Impact low Description Plaintext of decrypted emails can leak through by user submitting an embedded form. References * Bug 1450345 CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and Thunderbird 52.8 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Christoph Diehl, Randell Jesup, Tyson Smith, Alex Gaynor, Ronald Crane, Julian Hector, Kannan Vijayan, and Jason Kratzer reported memory safety bugs present in Firefox 59, Firefox ESR 52.7, and Thunderbird 52.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code." [1] MITIGATION Mozilla advises upgrading to Thunderbird version 52.8. [1] REFERENCES [1] Mozilla Foundation Security Advisory 2018-13 https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWwIJz4x+lLeg9Ub1AQhqoxAAgFETQOP0b6Z4tkpFO26z/uHby9/i0Q86 sb2UqHdiKdOV7cR/IMJm2lX94gt1WJlAUHZHArCS5I4GcOSoGvuXM1q9SR4JpuuU uWDccmv5SOmKMsTi/i3Y0LIzUX1b6wRPnprX7glFdoyowBbO/uBhe4FfiphMNWYz Yt3b4DdblRtguQNkmnqHrlBeN6VK9cP+oishYIjVaE8IwaGCuhQeDizcBgLii/gc W+MFuNMk5f1uqYmsX1zpjgtAeIS/jCfEMb403MO0/ixTgjFbNN6rhmu4DFADnG13 7/pCnpArxf6ggKFsVqNDlJC4DtZIUnBILnI2zRRvm3l6MKNxTF/hzzkaw0WDBphU kp5ZHpIlbsrBwBCRju+M7aT8/deI3YP1OYRdLx/7hd/ih0VK7YOmWhBoh+5Myzgy JWhWkcf7BFmIwzGyHLKQn/9hmkvmrSxAkszbfNPYd29yeTOEIVju3XczWA8kK1YE VR/WSSKGXxbGAHSzeZkInr32AiODQw/W21/azF5R66XjTeMYYPe6ll1e+ElGHwT1 ifOA7EmHV9NSLA4DeuNJ38MzJn1alZU8r0rsPI7Cv50peUNbd2kZMWUu2C0aRPOU nlW0I0SzjKkYqZk+7uldi0v2/Tvb74NgoZGmoWI9CKVColU3wPbu3w+kc25aQ8Et xjjIkN07JyA= =6sxW -----END PGP SIGNATURE-----