Threat Watch

Exploitable Crashes Due to Thunderbird Bugs are Patched by Mozilla

On August 6th a Mozilla Security Advisory was released which detailed bugs and how they operate on systems. The latest version of Thunderbird, Mozilla’s email client , details 14 vulnerabilities–five of which being critical, and three of the five could possibly cause an exploitable crash. The first bug is listed as CVE-2018-12359 and is set off when making changes such as adjusting the height and width of the <canvas> element, which in turn writes data outside the pre-computed boundaries. Furthermore, the CVE-2018-12360 is brought to life when “deleting an input element during a mutation event handler triggered by focusing that element.” Finally, the third patch, CVE-2018-12361, is a numeric overflow in SwizzleData code that occurs when determining buffer sizes. Since, all of these vulnerabilities have been patched by Mozilla.

ANALYST NOTES