Mozilla yesterday released an important security update for Thunderbird. It fixes several vulnerabilities, including a data leak that attackers could exploit to leak sensitive information.

With the update to Thunderbird 102.2.1, the developers are fixing four security vulnerabilities in the mail program. Mozilla classifies one vulnerability (CVE-2022-3033) as high risk and three vulnerabilities are considered medium risk. In addition, non-safety-related errors are eliminated with the update.

With a specially crafted email, an attacker could cause Thunderbird to call an attacker-controlled Internet address (URL), execute JavaScript code, and send data to that URL. In order to exploit the CVE-2022-3033 vulnerability, the prepared HTML mail must contain a meta tag with the attribute http-equiv="refresh" whose content attribute specifies a URL. If a user composes a reply to this mail, Thunderbird would connect to this URL, even if the mail program is configured to block external content.

With more HTML constructs, JavaScript could be executed while the reply mail is still open. For example, the JavaScript code could read, modify and/or send parts of the response to said URL or even change the target URL. The quoted content of the original mail could also be manipulated or diverted, even if it was originally encrypted. Even if the user decided not to send the reply email at all, the content of the reply that had been written or added up to that point might have slipped away unnoticed.

If you have set Thunderbird to display the text of the mail as simple html or plain text by default, this vulnerability does not affect you.

Another vulnerability, CVE-2022-3032, allows Thunderbird to download external content even if it is blocked by default. To do this, a prepared mail must contain an iframe element in which an srcdoc attribute refers to a file on the Internet. This could be an image or a video. Thunderbird would load and display this file.

The vulnerability CVE-2022-36059 can be exploited to perform a Denial of Service (DoS) attack. The prerequisite is that the user is using the Matrix chat protocol and the attacker is in the same chat room.

Thunderbird 91.x is now obsolete

Mozilla retired the Thunderbird 91.x version branch after the update to version 91.13.0 in August and is not providing any further updates. If you are still working with this generation of the mail program, you should update to Thunderbird 102. Only for this new generation, Mozilla continues to provide security updates, new features and bug fixes.

Users can download the new version from UpdateStar or from the official website.

Thunderbird on UpdateStar | Download