The US-CERT on Thursday announced security updates to Mozilla Thunderbird, Google Chrome and the Internet Systems Consortium's BIND Domain Name System software.
The Mozilla Foundation's release of Thunderbird version 52.2 fixed 14 vulnerabilities in the email application, including a critical use-after-free bug in the frameloader, which used a non-existent node when regenerating trees. This flaw, officially designated CVS-2017-5472, could cause a crash that attackers would be able to exploit. Another second reported vulnerability, designated CVE-2017-5460, involves various memory safety bugs that were addressed not only Thunderbird 52.2, but also the Firefox 54 and Firefox ESR 52.2 browser versions.
Meanwhile, Google announced that it will be rolling out Chrome version 59.0.3071.104 for Windows, Mac, and Linux desktop systems in the coming days and weeks. This latest release solves five different vulnerabilities, including a high-severity sandbox escape bug (CVE-2017-5087) that earned a security researcher a $10,500 bug bounty for discovering it. The was was specifically found in IndexedDB, an API for client-side storage of structured data.
The ISC BIND updates include versions 9.11.1-P1, 9.10.5-P1, and 9.9.10-P1, and address two vulnerabilities, one of which can be exploited to take control of an affected system, the US-CERT reported. On its ISC Knowledge Base web page, the ISC specifically warns of LMDB (Lightning Memory-Mapped Database) integration problems in all versions of BIND 9.11.0 and 9.11.1. Come July or August, BIND version 9.11.2 will address this issue, but until that time, ISC recommends that LMDB be disabled.
