Mozilla released Thunderbird 91.3 to fix several high-impact vulnerabilities that can cause a denial of service, spoof the origin, bypass security policies, and allow arbitrary code execution.
Mozilla Thunderbird 91.3 fixed flaws
- CVE-2021-38503: iframe bypass restrictions that allow script execution
- CVE-2021-38504: user-after-free in the file picker dialog, leading to memory corruption and a potentially exploitable crash
- CVE-2021-38505: Windows 10 Cloud Clipboard sensitive data recording, copying sensitive user data to the user’s Microsoft account, increasing the risk of information disclosure.
- CVE-2021-38506: Forcing Thunderbird to go into fullscreen mode without user interaction, laying the ground for UI spoofing and phishing attacks.
- CVE-2021-38507: Bypass the ‘Same-Origin-Policy’ by exploiting the Opportunistic Encryption feature.
- CVE-2021-38508: Ability to overlay the Permission Prompt to trick the user into granting any permission.
- CVE-2021-38510: Bypass ‘Download Protections’ on .inetloc files, allowing code execution on macOS.
- MOZ-2021-0008: Use-after-free in HTTP2 Session object, leading to memory corruption and possibly to an exploitable crash.
- MOZ-2021-0007: Memory corruption flaws that may lead to arbitrary code execution.
One vulnerability tracked as CVE-2021-38505 is of particular interest as its related to the Windows 10 Cloud Clipboard, introduced in 2018, and if enabled, will sync data you copy to the clipboard into the cloud, so it is available on other devices you have an account.
To prevent sensitive data from being synced to the cloud, Microsoft introduced specific clipboard formats that Windows would not copy to the cloud. However, Thunderbird and Mozilla did not use those formats, potentially allowing sensitive data to be synchronized.
Upgrading the version 91.3 or later should be done as soon as possible to get protection from above security flaws
To upgrade to the latest version, open Thunderbird, click on the app menu, and select Help > About Thunderbird. From there, you will be offered the option to download and install the latest available version.