The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Mozilla Fixes Critical Vulnerability in Thunderbird



Mozilla fixed five vulnerabilities, including a critical buffer overflow, in version 52.5.2 of its email application Thunderbird last week.

Mozilla fixed a handful of issues in Thunderbird, its free email application, late last week, including a critical vulnerability that could have crashed programs running on Windows machines.

The critical bug stemmed from a buffer overflow that could have been triggered when drawing and validating elements using Windows’ Direct3D 9 graphics functionality with the ANGLE graphics library.

Thunderbird uses ANGLE instead of OpenGL, a cross-language, cross-platform API, for WebGL rendering but according to Mozilla, an incorrect value can be passed within the library during checks, something which can result in a potentially exploitable crash.

Mozilla fixed the bug last Friday, according to a security advisory. The same issue was also addressed in Firefox, Mozilla's flagship browser, earlier this month.

The company also fixed two high severity bugs, one (CVE-2017-7846) that made it possible to execute JavaScript in a parsed RSS feed, and another (CVE-2017-7847) that could have leaked sensitive data, like usernames, via local path strings, from a RSS feed, as well.

Researchers with Cure53, a German cybersecurity firm that carries out penetration tests, discovered both RSS feed bugs, in addition to a less severe bug that could have opened RSS feeds up to line injection, something that could have modified messages, and reported them to Mozilla.

The security updates, the first Thunderbird has received in about a month, come just a few days after Mozilla said the mail application was planning to make some changes internally.

Ryan Sipes, Thunderbird's Community Manager said last week Thunderbird was hoping to "address some technical debt" and "fix some sore points in the software" in the new year. Furthermore Sipes said Thunderbird will change its codebase from C++, JavaScript, XUL, and XPCOM to be mostly based upon web technologies.

Chris Brook

WEBINARS

Webinar: Why Data Classification Should Drive Your Security Strategy

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.