Mozilla patches one critical, two high flaws in Thunderbird
Mozilla patches one critical, two high flaws in Thunderbird

Mozilla issued a series of security updates for Thunderbird 52.5.2 that included a critically rated buffer overflow issue that could lead to a crash if exploited.

The critical CVE-2017-7845 allows a buffer overflow to occur, only in Windows machines, when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library which is used for WebGL content. The reason this happens is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash, the security update said.

The security release also included two high-rated issues, CVE-2017-7846 and CVE-2017*7847. The first makes possible to execute JavaScript in a parsed RSS feed if the feed is viewed as a website. The second flaw would allow for a specially crafted Cascading Style Sheets in an RSS feed can leak or reveal local path strings which could include a user name.

Another RSS issue, CVE-2017-7848 which has a moderate rating, can inject new lines into an email structure allowing the body of the message to be modified.

Closing out the warning is the low-rated CVE-2017-7829. If exploited a sender's email address could be spoofed allowing a different sender address to be displayed. The real sender's address is not displayed if preceded by a null character in the display string, the warning said.