-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0268
        Mozilla Thunderbird 60.9 and 68.1 contain 7 security fixes
                             16 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-11752 CVE-2019-11746 CVE-2019-11744
                      CVE-2019-11743 CVE-2019-11742 CVE-2019-11740
                      CVE-2019-11739  
Member content until: Wednesday, October 16 2019
Reference:            ASB-2019.0252
                      ESB-2019.3429
                      ESB-2019.3359

OVERVIEW

        Security updates for Mozilla Thunderbird have been released as
        versions 60.9 and 68.1, addressing seven vulnerabilities and
        rated by Mozilla as priority "high". [1] [2]


IMPACT

        Mozilla has provided the following information:
        
        "# CVE-2019-11739: Covert Content Attack on S/MIME encryption using a crafted
        multipart/alternative message
        
        Encrypted S/MIME parts in a crafted multipart/alternative message can leak
        plaintext when included in a a HTML reply/forward.
        
        # CVE-2019-11746: Use-after-free while manipulating video
        
        A use-after-free vulnerability can occur while manipulating video elements if
        the body is freed while still in use. This results in a potentially exploitable
        crash.
        
        # CVE-2019-11744: XSS by breaking out of title and textarea elements using
        innerHTML
        
        Some HTML elements, such as <title> and <textarea>, can contain literal angle
        brackets without treating them as markup. It is possible to pass a literal
        closing tag to .innerHTML on these elements, and subsequent content after that
        will be parsed as if it were outside the tag. This can lead to XSS if a site
        does not filter user input as strictly for these elements as it does for other
        elements.
        
        # CVE-2019-11742: Same-origin policy violation with SVG filters and canvas to
        steal cross-origin images
        
        A same-origin policy violation occurs allowing the theft of cross-origin images
        through a combination of SVG filters and a <canvas> element due to an error in
        how same-origin policy is applied to cached image content. The resulting
        same-origin policy violation could allow for data theft.
        
        # CVE-2019-11752: Use-after-free while extracting a key value in IndexedDB
        
        It is possible to delete an IndexedDB key value and subsequently try to extract
        it during conversion. This results in a use-after-free and a potentially
        exploitable crash.
        
        # CVE-2019-11743: Cross-origin access to unload event attributes
        
        Navigation events were not fully adhering to the W3C's "Navigation-Timing Level
        2" draft specification in some instances for the unload event, which restricts
        access to detailed timing attributes to only be same-origin. This resulted in
        potential cross-origin information exposure of history through timing
        side-channel attacks.
        
        # CVE-2019-11740: Memory safety bugs fixed in Firefox 69, Firefox ESR 68.1,
        Firefox ESR 60.9, Thunderbird 68.1, and Thunderbird 60.9
        
        Mozilla developers and community members Tyson Smith and Nathan Froyd reported
        memory safety bugs present in Firefox 68, Firefox ESR 68, Firefox 60.8,
        Thunderbird 68, and Thunderbird 60.8. Some of these bugs showed evidence of
        memory corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code." [1] [2]
        
        Mozilla also notes that:
        "In general, these flaws cannot be exploited through email in the Thunderbird
        product because scripting is disabled when reading mail, but are potentially
        risks in browser or browser-like contexts." [1][2]


MITIGATION

        Mozilla advises updating to Thunderbird version 60.9 or 68.1
        to address these vulnerabilities. [1][2]


REFERENCES

        [1] Security vulnerabilities fixed in - Thunderbird 60.9
            https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/

        [2] Security vulnerabilities fixed in - Thunderbird 68.1
            https://www.mozilla.org/en-US/security/advisories/mfsa2019-30/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXX7aXWaOgq3Tt24GAQjVow/+PmxhvD0CINuO8pRNBlu/bYEDinYwzU7q
XD6h4je9PwNnLafGyu+e/FWEoXpwXEbWT+qH8mnAmbORo/2HiyQZcpjBH5wRZD7g
UdBCWP08o+nw3ZSQ1gjMNHyQQHMmNNrDnsfYMMA40j7N2Nl08o1cAk1aZS7c46wK
DjRhgLnvWWvGjOL6ju0CZ3nk3TcShtc7JMKHJpPOtBSuJ7lPIfOO+/aeP59ocjOk
0HmAO1pOaIR2ELyWMEArKqqeBRznjBYdL2yXA7H4r7SUNB3nkfB4HngFf3FEybDb
PQq7WMKYfxvLmZzdPiAkzP5qA8vfFBpkmjDhcftXcuMhAMyiyohP3pKjaCtWSvXJ
9NuwCyJznL6OVKOXj0poLbevJhHX2OZSoZPLjZmkAGAVXaF8ZCm1jGEXD9tmEK7s
bwdt6Y5V//diUYvRLmnNaD8Mu03xysWy4O3cuU9w7REEcdxFtm8rcidIayp3gAcR
fXaz3owAo41ekzpWczQ3G2JYc3g4e7A8Z3QIJSzpfa8muxm++4gDPhEmvWOrE01l
rpVAH9m4QgLhEx+qUn5Tgzg/muSfn1VgeUswTQIXochGJpprucWnLqFIMkUivDvx
F4VRk7jstrBjwwBCx/+8jNrXbHf4b7ZOauhxBVHqDpAlNrsvAe7PuJQbFC/YUr/w
ZRlKc3N8RoQ=
=O1ET
-----END PGP SIGNATURE-----