Operating System:

[WIN][UNIX/Linux]

Published:

30 January 2019

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ASB-2019.0043 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0043
               Mozilla Foundation Security Advisory 2019-03
                              30 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Thunderbird
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Increased Privileges            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-18505 CVE-2018-18501 CVE-2018-18500
                      CVE-2016-5824  
Member content until: Friday, March  1 2019
Reference:            ASB-2019.0042

OVERVIEW

        A vulnerability has been identified in Mozilla Thunderbird prior to 
        version 60.5. [1]


IMPACT

        Mozilla has given the following information regarding these 
        vulnerabilities:
        
        "CVE-2016-5824: DoS (use-after-free) via a crafted ics file
        
        Reporter Brandon Perry
        Impact low
        
        Description
        
        A vulnerability in the Libical libary used by Thunderbird can allow
        remote attackers to cause a denial of service (use-after-free) via a
        crafted ICS calendar file." [1]
        
        "CVE-2018-18500: Use-after-free parsing HTML5 stream
        
        Reporter Yaniv Frank with SophosLabs
        Impact critical
        
        Description
        
        A use-after-free vulnerability can occur while parsing an HTML5 stream
        in concert with custom HTML elements. This results in the stream
        parser object being freed while still in use, leading to a potentially
        exploitable crash." [1]
        
        "CVE-2018-18501: Memory safety bugs fixed in Firefox 65, Firefox ESR
        60.5, and Thunderbird 60.5
        
        Reporter Mozilla developers and community
        Impact critical
        
        Description
        
        Mozilla developers and community members Alex Gaynor, Christoph Diehl,
        Steven Crane, Jason Kratzer, Gary Kwong, and Christian Holler reported
        memory safety bugs present in Firefox 64, Firefox ESR 60.4, and
        Thunderbird 60.4. Some of these bugs showed evidence of memory
        corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code." [1]
        
        "CVE-2018-18505: Privilege escalation through IPC channel messages
        
        Reporter Jed Davis
        Impact high
        
        Description
        
        An earlier fix for an Inter-process Communication (IPC) vulnerability,
        CVE-2011-3079, added authentication to communication between IPC
        endpoints and server parents during IPC process creation. This
        authentication is insufficient for channels created after the IPC
        process is started, leading to the authentication not being correctly
        applied to later channels. This could allow for a sandbox escape
        through IPC channels due to lack of message validation in the listener
        process." [1]


MITIGATION

        Mozilla recommends upgrading Thunderbird to the latest
        version - Thunderbird 60.5. [1]


REFERENCES

        [1] Security vulnerabilities fixed in Thunderbird 60.5
            https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXFDyv2aOgq3Tt24GAQiCEA//Qlkbgs6I6yq3b11XCjWfW08sKI3r5P40
ncdns7+9BDDomAEfJoQmTMw/0qUwDkc0ONCuduyKUth7N4jMJM42V8GKiltdFElH
kMoAtNE0Pw9UtnveGyfwxqde5KxSdlMBpyX5ZGuQ8VnX8YbU0zEIZlHWQngcvSZK
KUfvZ3PZwjYZsAGpSV/laqXG4db5O6fN3ybaAPoiZzq1GtWcUy2Rf0CRxF0FZxLv
ImjZW7q6kkTWOZdTf1xufIPPkwSh/FXdEbFkq7J6WAXFRRwH8XmVrGHEKzXElgGr
Tp0Ay1LCiWHUoRGYJhrzHmpu3NbrdwM1jHTevjbDLdYeyFOfo6F9pMmrFaHE5cx7
+fazn8kZj1JXKkbXkjGtjb/sWkTMgeetxz25SyjRxO4n5thAs2hd6b5nh1phrH7x
jiCFPsaH+oqIOGdb8qda/fn60E68cgzyEkwwDxX+lXIY+V5HUUmYbVqUnzWP9trF
fs+Byc3CFKFohMjAk6NaA9ve2xM7lwNsk1v7VFiRQ8JQdjMkVlHkr+wxW4+ado/C
4brs3/+p5oKaAVCBPuulzeDQc2+672ddLjbKhWEOSDyQf3K6q3R9q6ZjikWRykJq
wHUTA9njrN5cwKvH+zFcubcxRHjFSaIRk8Q2Igur+VoB+Ui1jpUSzX1zDYPpXVrn
zKLR3EVo1Zs=
=pbV5
-----END PGP SIGNATURE-----