Thunderbird 52.6.0 with security fixes released

Martin Brinkmann
Jan 26, 2018
Email, Thunderbird
|
20

Thunderbird 52.6.0 is a security update for the popular desktop email client. The release is available via the email client's automatic update feature and also on the official project website.

Thunderbird users can run a manual check for updates with a click on Help > About Thunderbird. If the menu bar is missing, tap on the Alt-key to display it.

Thunderbird will pick up the new update and download and install it automatically.

Thunderbird 52.6.0

thunderbird 52.6.0

Thunderbird 52.6.0 is a security and maintenance release.

The team lists all fixed security vulnerabilities on this page. The bulk of issues cannot be exploited through emails because scripts are disabled by default when reading emails. They may be exploited however in browser or browser-like contexts.

  • CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
  • CVE-2018-5096: Use-after-free while editing form elements
  • CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
  • CVE-2018-5098: Use-after-free while manipulating form input elements
  • CVE-2018-5099: Use-after-free with widget listener
  • CVE-2018-5102: Use-after-free in HTML media elements
  • CVE-2018-5103: Use-after-free during mouse event handling
  • CVE-2018-5104: Use-after-free during font face manipulation
  • CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
  • CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6

Thunderbird 52.6.0 fixes three usability issues as well.

  • Searching message bodies of messages in local folders, including filter and quick filter operations, not working reliably: Content not found in base64-encode message parts, non-ASCII text not found and false positives found.
  • Defective messages (without at least one expected header) not shown in IMAP folders but shown on mobile devices
  • Calendar: Unintended task deletion if numlock is enabled

The search issue fix is probably the biggest improvement in the release. Thunderbird's built-in search did not work reliably in some cases. If you noticed in the past that mails were not returned by the search even though they should, this may have been the reason for that.

Thunderbird did not display defective messages in IMAP folders under certain circumstances. This is fixed as well and should work as intended.

Last but not least, a bug caused tasks to be deleted in the built-in calendar if Numlock was activated.

Closing Words

Thunderbird 52.6.0 is a security update and as such should be installed asap. I did not notice any issues yet after the upgrade but that is just with a couple of minutes of using the new version. If anything comes up I'll update the article.

Now You: Which email client or service do you use?

Related articles

Summary
Thunderbird 52.6.0 with security fixes released
Article Name
Thunderbird 52.6.0 with security fixes released
Description
Thunderbird 52.6.0 is a security update for the popular desktop email client. The release is available via the email client's automatic update feature and also on the official project website.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Matt said on January 28, 2018 at 10:31 pm
    Reply

    Why would anyone use Thunderbird over mailbird, outlook.com or even em client?

  2. ilev said on January 28, 2018 at 8:16 am
    Reply
    1. Paul(us) said on January 29, 2018 at 11:41 am
      Reply

      Thanks allot Ilev,
      Much appreciated!

  3. Angel said on January 27, 2018 at 12:19 pm
    Reply

    I hate what the internet has become.

    1. Tom Hawack said on January 27, 2018 at 1:28 pm
      Reply

      You’ll love Internet as is is now when you’ll discover as it will be tomorrow.

      The opposite of “I love you more than yesterday but less than tomorrow” : “Internet, listen to me. Are you listening to me? Here goes : I hate you more than yesterday but less than tomorrow” :=)

      Message in a bottle …

  4. Crambie said on January 27, 2018 at 12:17 pm
    Reply

    Javascript has been disabled for emails since TB3, it’s only enabled for RSS feeds. So unless you’re using it for RSS there’s no real need to disable it in config.

  5. ULBoom said on January 27, 2018 at 5:34 am
    Reply

    T Bird with G (yuk!) Mail and paid Mailbox.org (yes!), also playing with Claws. Use Email (that’s what it’s called) for android and free web based Proton Mail.

    Closed some old gmail accounts and that silly google+ thing and will soon transfer everything out. Amazing the difference in spam comparing Mailbox and Proton to Gmail. I knew google promoted spam, but there’s almost none in the other services.

    T Bird’s been a good client for over a decade, hope it continues on.

  6. Herman said on January 27, 2018 at 12:52 am
    Reply

    Love Thunderbird! Been using it for a very long time. With that said just a few issues I’d really like to see addressed.

    When you set a retention policy on a folder that is based on an imap account. You must leave Thunderbird open for at least 5 minutes or longer for the policy to kick in and actually do its job. Would be great if this could somehow be sped-up.

    Filters: They do a wonderful job with these and the mail is usually routed correctly, forwarded or deleted based on the rule. However, filtering also takes a long time especially when dealing with spam. You set a keyword to be looked at, set it for “Before Junk Classification” and many times it just ignores the rule completely. I’ve tried every setting possible, changed words, checked to make sure the rule is correct, changed classification settings…nothing.

    Finally, it would be wonderful if Thunderbird would allow you hide system folders set by providers. Yahoo has a folder called Bulk Mail. Its good, appropriate and does a fine job. However, it would be nice not be forced to have that folder listed if you don’t want to see it. I understand the need for it to exist but why not be able to hide it away?

    Otherwise, Thunderbird is fabulous! Promote its use to everyone and all constantly.

  7. basicuser said on January 26, 2018 at 11:58 pm
    Reply

    Still happily chugging along with Thunderbird 24.5.0.

  8. Stefan said on January 26, 2018 at 10:08 pm
    Reply

    I have used Thunderbird for many years now. I even have stayed with an older version due to some changes that annoyed me in the newer ones.

    Unknown senders ends up in Trashbin automatically.

  9. 3V1L-H4CK3R said on January 26, 2018 at 7:57 pm
    Reply

    rendering text mails greatly reduces the risks, as hackers can’t do so much. Keep monitoring the attachments, though

    1. John Fenderson said on January 26, 2018 at 10:01 pm
      Reply

      I never open attachments from strangers, and I never open attachments from people I know without confirming that they intended to send them first.

  10. John Fenderson said on January 26, 2018 at 7:25 pm
    Reply

    “Which email client or service do you use?”

    I use Thunderbird.

    I’m curious, though: I disable HTML rendering — HTML in email is evil — so does that mean I’m not vulnerable to those security issues?

    1. Tom Hawack said on January 26, 2018 at 7:40 pm
      Reply

      Concerning HTML — your question — I have no idea of the impact disabling it has, but I do know that disabling javascript in an email client is a good security practice with no impact on most emails, and none actually if the client is used without any plugin (videos etc).

      In about:config : javascript.enabled -> set to false

      You must know that. I’ve always disabled javascript in TB with no rendering issue. Disabling HTML will of course break non-txt only emails and I’m not sure it will be a great contribution to security.

      Just my two cents…

      1. John Fenderson said on January 26, 2018 at 8:25 pm
        Reply

        Yes, I disable Javascript in Thunderbird as well. (I keep Javascript generally disabled in my browser, too, selectively enabling certain scripts as needed with NoScript).

        “Disabling HTML will of course break non-txt only emails”

        Something I’m perfectly fine with. 90% of emails that I get that use HTML are spam, and with the other 10%, I’m perfectly fine just reading the HTML source.

  11. sunnytimes said on January 26, 2018 at 6:32 pm
    Reply

    I use thunderbird everyday for my work email , its great .. i watch my co-workers who won’t listen to me struggle using the goofy webmail the company has. oh well , story of my life , i’m only right when everyone else is wrong.

    thanks for the update!

  12. Tom Hawack said on January 26, 2018 at 4:43 pm
    Reply

    Hello Houston : the bird has been updated.
    The crew means Thunderbird, so do I :=)

    1. Paul(us) said on January 29, 2018 at 11:39 am
      Reply

      Hello Tom, Thunderbird has nothing to do with Houston.
      But all with the 1964 British tv series filmed on the Slough Trading Estate and played on a tropical island far away.
      Some of the Thunderbirds were created after RAF’s Red Arrows aerobatics display team.
      Main one personal favorite thunderbird still is:
      Thunderbird 5: a space station that relays distress calls from around the world. Manned alternately by “space monitors” John and Alan.
      So again nothing to do with Houston.
      Thunderbird out!
      :-)

      1. Tom Hawack said on January 29, 2018 at 11:59 am
        Reply

        Hello Paul(us) :=)
        I had in mind,
        – “The eagle has landed” (Apollo 11) … the bird!
        – “Hello Houston, we have a problem” (Apollo 13) shifted to the idea we had none!
        Thanks for the valuable information!

  13. Franck said on January 26, 2018 at 2:40 pm
    Reply

    Thanks a lot for all the information !

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.