|
There are isolated problems with current patches, but they are well-known and documented on this site. |
Mozilla Releases Security Update
https://www.us-cert.gov/ncas/current-activity/2017/06/15/Mozilla-Releases-Security-Update
Original release date: June 15, 2017
Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.2 and apply the necessary update.
@martinbrinkmann posted on ghacks.net about problems he experienced in Thunderbird 52.2.0
Thanks for that link. Will be on the lookout. I updated to 52.2.0 today, and so far all of my folders seem intact and everything is there as it was previously. Not sure what happened to Martin …
I use imap exclusively with several accounts.
Windows 10 Pro 22H2
@Paul, I’ve not taken the time needed to thoroughly research this, but on checking a CVE number used in Mozilla’s post, it is showing as Reserved i.e. details appear not to have been released/published yet.
I believe that details are sometimes not published until the fix is in place, but I am not aware if this is the case in this situation. Thunderbird has not appeared in the weekly NCAS bulletins in recent weeks, that I have seen.
Here are the vulnerabilities that Mozilla just fixed in Thunderbird 52.2.0
https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/
Here are the vulnerabilities that Mozilla recently fixed in Firefox 54.
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
There does appear to be some crossover between the two regarding some CVEs.
I usually apply Mozilla fixes immediately. So far I have never had an update from them that crippled my browsing or email. And it’s not like a bad Windows update that can ruin your day!
Windows 10 Pro 22H2
While I have (ages ago) had a major problem updating Thunderbird, breaking things to the point of needing to restore its backup, the Firefox update risks losing functionality needed to continue working (i.e. when Silverlight access was removed a few months ago).
(PS That top link was in #120879. I’d not seen the 2nd link, which has now been updated in Mozilla (Firefox) Updates topic – thanks.)
Mozilla Releases Security Update
https://www.us-cert.gov/ncas/current-activity/2017/08/21/Mozilla-Releases-Security-Update
Original release date: August 21, 2017
Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.3 and apply the necessary update.
Mozilla Releases Security Update
https://www.us-cert.gov/ncas/current-activity/2017/10/11/Mozilla-Releases-Security-Update
Original release date: October 11, 2017
Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.
US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird and apply the necessary update.
Good to know! Updated today. 🙂
I have also made it a longstanding habit with Thunderbird to block all remote content by default, and to ensure that hyperlinks (when clicked) will open in my default browser rather than the mail program.
Windows 10 Pro 22H2
Mozilla Releases Security Update for Thunderbird
https://www.us-cert.gov/ncas/current-activity/2017/12/25/Mozilla-Releases-Security-Update-Thunderbird
Original release date: December 25, 2017
Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.5.2 and apply the necessary update.
Critical Security Vulnerabilities fixed in Thunderbird 52.5.2
Mozilla Releases Security Update for Thunderbird
https://www.us-cert.gov/ncas/current-activity/2018/01/25/Mozilla-Releases-Security-Update-Thunderbird
Original release date: January 25, 2018
Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC/US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.6 and apply the necessary update.
Mozilla Releases Security Update for Thunderbird
https://www.us-cert.gov/ncas/current-activity/2018/05/18/Mozilla-Releases-Security-Update-Thunderbird
Original release date: May 18, 2018
Mozilla has released a security update to address vulnerabilities in Thunderbird. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.8 and apply the necessary update.
Mozilla Foundation Security Advisory 2018-13
Security vulnerabilities fixed in Thunderbird 52.8
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
Mozilla Releases Security Update for Thunderbird
https://www.us-cert.gov/ncas/current-activity/2018/07/03/Mozilla-Releases-Security-Update-Thunderbird
Original release date: July 03, 2018
Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.9 and apply the necessary update.
Release Notes: Thunderbird 52.9.0
Fixes include EFail
Updated, thanks!
I also noticed this little comment in the advisory:
“In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.”
I would still always follow the recommendation in the Mozilla Thunderbird support guide to never “Allow remote content in messages” by default.
https://support.mozilla.org/en-US/kb/remote-content-in-messages#w_display-remote-content-by-default
Windows 10 Pro 22H2
As that had already been noted above, I didn’t bother to repeat it… 🙂
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
Mozilla Releases Security Update for Thunderbird
https://www.us-cert.gov/ncas/current-activity/2018/08/06/Mozilla-Releases-Security-Update-Thunderbird
Original release date: August 06, 2018
Mozilla has released a security update to address vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60 and apply the necessary update.
Repeated in MFSA2018/9:
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
From Version 60.0 Release Notes:
Thunderbird version 60 is currently only offered as direct download from thunderbird.net and not as upgrade from Thunderbird version 52 or earlier. If you have installed Lightning, Mozilla’s Calendar add-on, it will automatically be updated to match the new version of Thunderbird. Refer to this troubleshooting article in case of problems.
This may come in handy from Ghacks: how-to-migrate-32-bit-thunderbird-to-64-bit-on-windows/
and from Mozilla FTP: (64bit Version) Thunderbird v60
Re images in Thunderbird, this privacy information explains the ways Thunderbird can view images (reducing the risks involved).
Mozilla Releases Security Update for Thunderbird
https://www.us-cert.gov/ncas/current-activity/2019/02/14/Mozilla-Releases-Security-Update-Thunderbird
Original release date: February 14, 2019
Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60.5.1 and apply the necessary update.
Security vulnerabilities fixed in Thunderbird 60.5.1:
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
