Network Security, Patch/Configuration Management, Vulnerability Management

Security updates announced for Mozilla Thunderbird, Google Chrome, ISC’s BIND

The US-CERT on Thursday announced security updates to Mozilla Thunderbird, Google Chrome and the Internet Systems Consortium's BIND Domain Name System software.

The Mozilla Foundation's release of Thunderbird version 52.2 fixed 14 vulnerabilities in the email application, including a critical use-after-free bug in the frameloader, which used a non-existent node when regenerating trees. This flaw, officially designated CVS-2017-5472, could cause a crash that attackers would be able to exploit. Another second reported vulnerability, designated CVE-2017-5460, involves various memory safety bugs that were addressed not only Thunderbird 52.2, but also the Firefox 54 and Firefox ESR 52.2 browser versions.

Meanwhile, Google announced that it will be rolling out Chrome version 59.0.3071.104 for Windows, Mac, and Linux desktop systems in the coming days and weeks. This latest release solves five different vulnerabilities, including a high-severity sandbox escape bug (CVE-2017-5087) that earned a security researcher a $10,500 bug bounty for discovering it. The was was specifically found in IndexedDB, an API for client-side storage of structured data.

The ISC BIND updates include versions 9.11.1-P1, 9.10.5-P1, and 9.9.10-P1, and address two vulnerabilities, one of which can be exploited to take control of an affected system, the US-CERT reported. On its ISC Knowledge Base web page, the ISC specifically warns of LMDB (Lightning Memory-Mapped Database) integration problems in all versions of BIND 9.11.0 and 9.11.1. Come July or August, BIND version 9.11.2 will address this issue, but until that time, ISC recommends that LMDB be disabled.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.