News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Mozilla Security Update: US-CERT (Thunderbird)

    Home Forums AskWoody support Questions: Browsers and desktop software Updates for browsers, apps and add-ins Mozilla Security Update: US-CERT (Thunderbird)

    Viewing 10 reply threads
    • Author
      Posts
      • #120879
        Kirsty
        Manager

        Mozilla Releases Security Update
        https://www.us-cert.gov/ncas/current-activity/2017/06/15/Mozilla-Releases-Security-Update

        Original release date: June 15, 2017

         
        Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

        US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.2 and apply the necessary update.

        2 users thanked author for this post.
      • #120882
        Kirsty
        Manager

        @martinbrinkmann posted on ghacks.net about problems he experienced in Thunderbird 52.2.0

        1 user thanked author for this post.
        • #121116
          JohnW
          AskWoody Plus

          Thanks for that link.  Will be on the lookout.  I updated to 52.2.0 today, and so far all of my folders seem intact and everything is there as it was previously.  Not sure what happened to Martin …

          I use imap exclusively with several accounts.

      • #120978
        Cascadian
        AskWoody Lounger

        Kristy, could you help me with a non-authoritative interpretation?

        Are these vulnerabilities very specific to the Thunderbird client, more general to the Gecko engine, or more broadly reflected in the generally accepted practices common to many engines and protocols currently in use?

        This is not meant to be alarmist, just trying to think [ahead] more broadly.

        Reference also: https://www.askwoody.com/forums/topic/chrome-security-update-us-cert-browser/#post-120901

        • #120980
          Kirsty
          Manager

          @Paul, I’ve not taken the time needed to thoroughly research this, but on checking a CVE number used in Mozilla’s post, it is showing as Reserved i.e. details appear not to have been released/published yet.

          I believe that details are sometimes not published until the fix is in place, but I am not aware if this is the case in this situation. Thunderbird has not appeared in the weekly NCAS bulletins in recent weeks, that I have seen.

          2 users thanked author for this post.
        • #121117
          JohnW
          AskWoody Plus

          Here are the vulnerabilities that Mozilla just fixed in Thunderbird 52.2.0

          https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/

          Here are the vulnerabilities that Mozilla recently fixed in Firefox 54.

          https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/

          There does appear to be some crossover between the two regarding some CVEs.

          I usually apply Mozilla fixes immediately.  So far I have never had an update from them that crippled my browsing or email.  And it’s not like a bad Windows update that can ruin your day!

          1 user thanked author for this post.
          • #121123
            Kirsty
            Manager

            While I have (ages ago) had a major problem updating Thunderbird, breaking things to the point of needing to restore its backup, the Firefox update risks losing functionality needed to continue working (i.e. when Silverlight access was removed a few months ago).

            (PS That top link was in #120879. I’d not seen the 2nd link, which has now been updated in Mozilla (Firefox) Updates topic – thanks.)

      • #130980
        Kirsty
        Manager

        Mozilla Releases Security Update
        https://www.us-cert.gov/ncas/current-activity/2017/08/21/Mozilla-Releases-Security-Update

        Original release date: August 21, 2017

         
        Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

        US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.3 and apply the necessary update.

        1 user thanked author for this post.
      • #138842
        Kirsty
        Manager

        Mozilla Releases Security Update
        https://www.us-cert.gov/ncas/current-activity/2017/10/11/Mozilla-Releases-Security-Update

        Original release date: October 11, 2017

         
        Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

        US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird and apply the necessary update.

         
        Security vulnerabilities fixed in Thunderbird 52.4

        1 user thanked author for this post.
        • #138909
          JohnW
          AskWoody Plus

          Good to know!  Updated today.  🙂

          I have also made it a longstanding habit with Thunderbird to block all remote content by default, and to ensure that hyperlinks (when clicked) will open in my default browser rather than the mail program.

      • #154439
        Kirsty
        Manager

        Mozilla Releases Security Update for Thunderbird
        https://www.us-cert.gov/ncas/current-activity/2017/12/25/Mozilla-Releases-Security-Update-Thunderbird

        Original release date: December 25, 2017

         
        Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

        US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.5.2 and apply the necessary update.

         
        Critical Security Vulnerabilities fixed in Thunderbird 52.5.2

        1 user thanked author for this post.
      • #162298
        Kirsty
        Manager

        Mozilla Releases Security Update for Thunderbird
        https://www.us-cert.gov/ncas/current-activity/2018/01/25/Mozilla-Releases-Security-Update-Thunderbird

        Original release date: January 25, 2018

         
        Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

        NCCIC/US-CERT encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.6 and apply the necessary update.

        1 user thanked author for this post.
      • #193120
        Kirsty
        Manager

        Mozilla Releases Security Update for Thunderbird
        https://www.us-cert.gov/ncas/current-activity/2018/05/18/Mozilla-Releases-Security-Update-Thunderbird

        Original release date: May 18, 2018

         
        Mozilla has released a security update to address vulnerabilities in Thunderbird. A remote attacker could exploit one of these vulnerabilities to take control of an affected system.

        NCCIC encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.8 and apply the necessary update.

         
        Mozilla Foundation Security Advisory 2018-13
        Security vulnerabilities fixed in Thunderbird 52.8

        In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

        2 users thanked author for this post.
        • #193176
          JohnW
          AskWoody Plus

          Thanks for the heads up!!!  🙂

          1 user thanked author for this post.
      • #201243
        Kirsty
        Manager

        Mozilla Releases Security Update for Thunderbird
        https://www.us-cert.gov/ncas/current-activity/2018/07/03/Mozilla-Releases-Security-Update-Thunderbird

        Original release date: July 03, 2018

         
        Mozilla has released a security update to address multiple vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

        NCCIC encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 52.9 and apply the necessary update.

         
        Release Notes: Thunderbird 52.9.0
        Fixes include EFail

        3 users thanked author for this post.
        • #201321
          JohnW
          AskWoody Plus

          Updated, thanks!

          I also noticed this little comment in the advisory:

          “In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.”

          I would still always follow the recommendation in the Mozilla Thunderbird support guide to never “Allow remote content in messages” by default.

          https://support.mozilla.org/en-US/kb/remote-content-in-messages#w_display-remote-content-by-default

          4 users thanked author for this post.
          • #201419
            Kirsty
            Manager

            As that had already been noted above, I didn’t bother to repeat it… 🙂

            In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

      • #209137
        Kirsty
        Manager

        Mozilla Releases Security Update for Thunderbird
        https://www.us-cert.gov/ncas/current-activity/2018/08/06/Mozilla-Releases-Security-Update-Thunderbird

        Original release date: August 06, 2018

         
        Mozilla has released a security update to address vulnerabilities in Thunderbird. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

        NCCIC encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60 and apply the necessary update.

         
        Repeated in MFSA2018/9:

        In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

         
        From Version 60.0 Release Notes:

        Thunderbird version 60 is currently only offered as direct download from thunderbird.net and not as upgrade from Thunderbird version 52 or earlier. If you have installed Lightning, Mozilla’s Calendar add-on, it will automatically be updated to match the new version of Thunderbird. Refer to this troubleshooting article in case of problems.

        2 users thanked author for this post.
        • #209169
          Bill C.
          AskWoody Plus

          Thanks for the updates. I went to the website and noticed that they do not yet have the 64bit version of 60 posted. There is still language about 32 bit only, with 64 not supported.

          I am hoping that is just a temporary thing.

          • #209171
            Microfix
            AskWoody MVP

            This may come in handy from Ghacks: how-to-migrate-32-bit-thunderbird-to-64-bit-on-windows/

            and from Mozilla FTP: (64bit Version) Thunderbird v60

            | Quality over Quantity |
            1 user thanked author for this post.
            • #209183
              Bill C.
              AskWoody Plus

              I will hold fast for now and wait for the Version 60 (both 32 or 64 bit) to age a bit before adopting. That was also mentioned in the Ghacks links comments. I am wondering why the update is manual, given tha the jump in Firefox to Quantum was an update.

              Thunderbird on Windows is my secondary email client, therefore the retained emails are small. I use Outlook 2010 for my main email, but as feature after feature is disabled dur to security patches, too many emails from known sources are failing to show content and images unless they are hosted by that business. Thunderbird also blocks remote content and images, but you can enable it on a message by message basis. MS wants you to oepn it in a browser.

      • #327343
        Kirsty
        Manager

        Mozilla Releases Security Update for Thunderbird
        https://www.us-cert.gov/ncas/current-activity/2019/02/14/Mozilla-Releases-Security-Update-Thunderbird
        Original release date: February 14, 2019

        Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

        The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60.5.1 and apply the necessary update.

        Security vulnerabilities fixed in Thunderbird 60.5.1:
        In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

        Thunderbird 60.5.1 Release Notes

        1 user thanked author for this post.
    Viewing 10 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Mozilla Security Update: US-CERT (Thunderbird)

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.