Mozilla fixed a critical vulnerability and has released a version of Thunderbird 60.2.1, which eliminates a number of vulnerabilities in the mail client, including one critical. The problem is related to memory corruption and can be used for remote code execution.
In total, the developers have fixed 7 vulnerabilities – 1 critical (CVE-2018-12376), 2 dangerous problems (CVE-2018-12377, CVE-2018-12378), 3 moderate hazards and 1 low hazard (CVE-2018-12383 ). The above vulnerabilities, in addition to the critical ones, can lead to application crashes.
Notably, the company regarded it as a minor vulnerability, allowing users to easily access unencrypted passwords. In addition, it is associated with the Firefox browser, not the Thunderbird client.
“If a user saves passwords in Firefox version up to Firefox 58, and then sets a master password, unencrypted copies of passwords are still available.
The problem is that the old password file is not deleted when transferring data to the new format introduced in Firefox 58. The new master password is added only to the new file, which can lead to the disclosure of stored passwords, ”explained Mozilla engineers.
Mozilla Thunderbird users are strongly encouraged to upgrade to the new client version.