Mozilla released a pair of critical updates for Thunderbird today, along with patches for two lower-rated vulnerabilities.
The critical issues are CVE-2018-48500 and CVE-2018-18501. The former is a use-after-free vulnerability that can take place while parsing an HTML5 stream in concert with custom HTML elements, Mozilla posted. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash.
The second vulnerability memory safety bugs present in Firefox 64, Firefox ESR 60.4, and Thunderbird 60.4. Some of these bugs showed evidence of memory corruption and could possibly be exploited to run arbitrary code, Mozilla said.
Also covered in the release of Thunderbird 60.5 was the high-rated flaw CVE-2018-18505 that can allow a privilege escalation through IPC channel message. The problem was actually created, Mozilla reported, during the fix issued for CVE-2011-3079 that added authentication to communications between IPC endpoints and servers. This authentication is insufficient for channels created after the IPC process is started, leading to the authentication not being correctly applied to later channels possibly allowing for a sandbox escape due to a lack of message validation in the listener process.
The last problem is the low-rated CVE-2016-5824, a vulnerability in Thunderbird’s Libical library that can allow remote attackers to cause a DoS issue with a specially crafted ICS calendar file.