Jump to content
  • Thunderbird 102.2.1 launches with important security fixes


    Karlston

    • 491 views
    • 3 minutes
     Share


    • 491 views
    • 3 minutes

    Thunderbird 102.2.1 is now available. The new version of the open source email client fixes several security issues in Thunderbird and includes other changes.

    The security update addresses several vulnerabilities that may overcome the built-in remote content blocking mechanism.

     

    Thunderbird 102.2.1 is already available as an in-client update and as a separate download from the official project website. Existing users may select Help > About Thunderbird to display the current version. The program runs an automatic check for updates at this point to download and install any new version that is found during the check.

    Thunderbird 102.2.1

    thunderbird-102.2.1.png

     

    The official security advisories page lists four different security issues that are patched in the new email client version. One issues is rated high, the other three are rated moderate.

     

    • CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
    • CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
    • CVE-2022-3034: An iframe element in an HTML email could trigger a network request
    • CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack

     

    The security issue rated high addresses the following issue. Emails that contain a meta tag with the http-equiv="refresh" and content attribute specifying an URL, could bypass the remote content block of the email client when a user replied to these emails.

     

    The attacker could abuse it to run JavaScript code in "the context of the message compose document", which allowed the threat actor to read and modify the content of the message compose document; this could include the decrypted content of an encrypted message, and this data could be transferred to another server.

     

    Two of the three remaining vulnerabilities address remote content blocking bypass issues as well. The second vulnerability loaded remote objects in an HTML email that contained an iframe element and used a srcdoc attribute to define the inner HTML document. Remote content, such as images or videos, could be loaded that way from remote locations.

     

    The third addresses an issue with HTML emails that specified to load an iframe from a remote location. The request was sent but Thunderbird never displayed the document.

     

    The fourth vulnerability corrects an issue in the Matrix chat protocol, which could make Thunderbird vulnerable to denial of service attacks.

    Other changes

    The official release notes lists several non-security improvements and fixes in the email client. The only new feature in Thunderbird 102.2.1 is the -calendar startup parameter to load the Calendar on start of the email client.

     

    The only change displays a button now during account setup to connect automatically discovered address books and calendars.

     

    More than a dozen fixes are listed. They address a whole range of issues, including Pop email retrieval issues after network errors and recoveries, issues when exporting a profile, or issues when updating mail quota colors.

     

    Now you: Thunderbird 102, still the previous version, or something else entirely for emails?

     

     

     

    Thunderbird 102.2.1 launches with important security fixes

     

    Frontpaged:   Mozilla Thunderbird 102.2.1


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...