Multiple flaws in email client resolved with security update
Mozilla has updated its Thunderbird email client to resolve an array of security flaws, including four high-severity web security vulnerabilities.
The CVE-2021-38503 vulnerability meant that iframe sandbox rules were not correctly applied to XSLT stylesheets, potentially allowing a malicious iframe to “bypass restrictions such as executing scripts or navigating the top-level frame”.
The vulnerability – more details on which can be found on the Bugzilla bug tracker – was discovered by security researcher Armin Ebert.
A more subtle but likewise high-impact vulnerability (CVE-2021-38507) creates a means to bypass the privacy and integrity protections offered by secure HTTPS connections.
The seldom-used Opportunistic Encryption feature of HTTP/2 allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection – including being same-origin with unencrypted connections on port 80.
Security researcher Takeshi Terada discovered that the technology offers a means to bypass the same-origin policy (SOP) on services hosted on other ports.
“If a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP,” a security advisory by Mozilla explains.
Mozilla addressed the problem by “disabling the Opportunistic Encryption feature”, which it reports has “low usage”.
Another high impact vulnerability – tracked as CVE-2021-38506 – meant that Thunderbird could be forced into fullscreen mode without triggering any notification or warning to its user.
“This could lead to spoofing attacks on the browser UI (user interface) including phishing,” Mozilla warns.
The Thunderbird 91.3 update, released on November 3, resolves a total of seven high impact vulnerabilities as well as three moderate severity flaws, as detailed in Mozilla’s advisory.
YOU MAY ALSO LIKE Mozilla debuts Site Isolation technology with Firefox update