Mozilla lately rolled out patches for 2 essential vulnerabilities in its Thunderbird email client. The vulnerabilities allegedly affected its IonMonkey JIT compiler. Mozilla fastened the bugs with the discharge of Thunderbird 60.6.1.
Two Vital Vulnerabilities In Thunderbird 60.6.1
As disclosed in Mozilla’s security advisory, two essential vulnerabilities existed in Thunderbird IonMonkey JIT compiler. Mozilla confirmed rolling out patches for each the issues with Thunderbird 60.6.1.
As reported, the primary of those vulnerabilities CVE-2019-9810 might end in buffer overflow.
“Incorrect alias data in IonMonkey JIT compiler for Array.prototype.slice methodology could result in lacking bounds test and a buffer overflow.”
Whereas, the second vulnerability (CVE-2019-9813) was an Ionmonkey kind confusion.
“Incorrect dealing with of __proto__ mutations could result in kind confusion in IonMonkey JIT code and may be leveraged for arbitrary reminiscence learn and write.”
Mozilla confirmed that the vulnerabilities couldn’t be exploited through e mail as a result of disabled scripting within the software program. Nonetheless, they had been “doubtlessly dangerous” in browser-like contexts. Due to this fact, the customers should guarantee upgrading their techniques to the patched Thunderbird model to keep away from any mishaps.
Mozilla credited the researchers from Development Micro’s Zero Day Initiative for reporting each the vulnerabilities.
Second Replace For Thunderbird In A Month
Though the current replace 60.6.1 carries fixes for less than two safety bugs, Mozilla has already rolled-out updates simply a few weeks earlier than this replace. At the moment, Mozilla patched fairly a bunch of vulnerabilities in Thunderbird version 60.6.
The replace contains fixes for 3 essential safety bugs, 4 high-severity flaws, and two average severity vulnerabilities. Among the many essential flaws, CVE-2019-9791 and CVE-2019-9792 additionally existed within the IonMonkey just-in-time (JIT) compiler. Mozilla credited Samuel Groß from Google Challenge Zero for reporting each the bugs.
As well as, a excessive severity vulnerability CVE-2019-9795 additionally affected the IonMonkey JIT compiler. This kind confusion flaw might doubtlessly set off an exploitable crash owing to malicious JavaScript.
With the discharge of Thunderbird 60.6, Mozilla additionally fastened reminiscence security bugs (CVE-2019-9788) that affected Firefox and Firefox ESR as nicely. The patches for the opposite two browsers had been rolled out with Firefox 66, Firefox ESR 60.6. Nonetheless, this time, Mozilla’s advisory didn’t point out any such replace for the opposite browsers.
