[German]On June 20, 2019 the Thunderbird developers released an update of the email client Thunderbird to version 60.7.2. This is a security update that closes critical vulnerabilities. Here is some information about it.
German blog reader MGC pointed out the update in this comment (thanks for that) – but I haven’t had the time to publish an article. Today I checked Thunderbird on my system. The update was detected during an update search in Thunderbird Portable and installed without any issues.
Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.
- CVE-2019-11708: sandbox escape using Prompt:Open: high; Insufficient vetting of parameters passed with the
Prompt:OpenIPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user’s computer.
Known issues are: Due to changes in the Mozilla platforms stored on Windows network profiles, shares addressed by drive letters are now addressed by UNC and chat: Twitter does not work because the API on Twitter.com has been changed.