Thunderbird 52.6.0 with security fixes released
Thunderbird 52.6.0 is a security update for the popular desktop email client. The release is available via the email client's automatic update feature and also on the official project website.
Thunderbird users can run a manual check for updates with a click on Help > About Thunderbird. If the menu bar is missing, tap on the Alt-key to display it.
Thunderbird will pick up the new update and download and install it automatically.
Thunderbird 52.6.0
Thunderbird 52.6.0 is a security and maintenance release.
The team lists all fixed security vulnerabilities on this page. The bulk of issues cannot be exploited through emails because scripts are disabled by default when reading emails. They may be exploited however in browser or browser-like contexts.
- CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
- CVE-2018-5096: Use-after-free while editing form elements
- CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
- CVE-2018-5098: Use-after-free while manipulating form input elements
- CVE-2018-5099: Use-after-free with widget listener
- CVE-2018-5102: Use-after-free in HTML media elements
- CVE-2018-5103: Use-after-free during mouse event handling
- CVE-2018-5104: Use-after-free during font face manipulation
- CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
- CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6
Thunderbird 52.6.0 fixes three usability issues as well.
- Searching message bodies of messages in local folders, including filter and quick filter operations, not working reliably: Content not found in base64-encode message parts, non-ASCII text not found and false positives found.
- Defective messages (without at least one expected header) not shown in IMAP folders but shown on mobile devices
- Calendar: Unintended task deletion if numlock is enabled
The search issue fix is probably the biggest improvement in the release. Thunderbird's built-in search did not work reliably in some cases. If you noticed in the past that mails were not returned by the search even though they should, this may have been the reason for that.
Thunderbird did not display defective messages in IMAP folders under certain circumstances. This is fixed as well and should work as intended.
Last but not least, a bug caused tasks to be deleted in the built-in calendar if Numlock was activated.
Closing Words
Thunderbird 52.6.0 is a security update and as such should be installed asap. I did not notice any issues yet after the upgrade but that is just with a couple of minutes of using the new version. If anything comes up I'll update the article.
Now You: Which email client or service do you use?
Related articles
- How to encrypt your emails in Thunderbird
- ProtonMail Bridge: encrypted email for Outlook, Thunderbird, and other email clients
- Thunderbird Audit reveals unpatched security issues
- Thunderbird Photon Design refresh and WebExtensions
- Thunderbird's new home is.. The Mozilla Foundation
Thanks a lot for all the information !
Hello Houston : the bird has been updated.
The crew means Thunderbird, so do I :=)
Hello Tom, Thunderbird has nothing to do with Houston.
But all with the 1964 British tv series filmed on the Slough Trading Estate and played on a tropical island far away.
Some of the Thunderbirds were created after RAF’s Red Arrows aerobatics display team.
Main one personal favorite thunderbird still is:
Thunderbird 5: a space station that relays distress calls from around the world. Manned alternately by “space monitors” John and Alan.
So again nothing to do with Houston.
Thunderbird out!
:-)
Hello Paul(us) :=)
I had in mind,
– “The eagle has landed” (Apollo 11) … the bird!
– “Hello Houston, we have a problem” (Apollo 13) shifted to the idea we had none!
Thanks for the valuable information!
I use thunderbird everyday for my work email , its great .. i watch my co-workers who won’t listen to me struggle using the goofy webmail the company has. oh well , story of my life , i’m only right when everyone else is wrong.
thanks for the update!
“Which email client or service do you use?”
I use Thunderbird.
I’m curious, though: I disable HTML rendering — HTML in email is evil — so does that mean I’m not vulnerable to those security issues?
Concerning HTML — your question — I have no idea of the impact disabling it has, but I do know that disabling javascript in an email client is a good security practice with no impact on most emails, and none actually if the client is used without any plugin (videos etc).
In about:config : javascript.enabled -> set to false
You must know that. I’ve always disabled javascript in TB with no rendering issue. Disabling HTML will of course break non-txt only emails and I’m not sure it will be a great contribution to security.
Just my two cents…
Yes, I disable Javascript in Thunderbird as well. (I keep Javascript generally disabled in my browser, too, selectively enabling certain scripts as needed with NoScript).
“Disabling HTML will of course break non-txt only emails”
Something I’m perfectly fine with. 90% of emails that I get that use HTML are spam, and with the other 10%, I’m perfectly fine just reading the HTML source.
rendering text mails greatly reduces the risks, as hackers can’t do so much. Keep monitoring the attachments, though
I never open attachments from strangers, and I never open attachments from people I know without confirming that they intended to send them first.
I have used Thunderbird for many years now. I even have stayed with an older version due to some changes that annoyed me in the newer ones.
Unknown senders ends up in Trashbin automatically.
Still happily chugging along with Thunderbird 24.5.0.
Love Thunderbird! Been using it for a very long time. With that said just a few issues I’d really like to see addressed.
When you set a retention policy on a folder that is based on an imap account. You must leave Thunderbird open for at least 5 minutes or longer for the policy to kick in and actually do its job. Would be great if this could somehow be sped-up.
Filters: They do a wonderful job with these and the mail is usually routed correctly, forwarded or deleted based on the rule. However, filtering also takes a long time especially when dealing with spam. You set a keyword to be looked at, set it for “Before Junk Classification” and many times it just ignores the rule completely. I’ve tried every setting possible, changed words, checked to make sure the rule is correct, changed classification settings…nothing.
Finally, it would be wonderful if Thunderbird would allow you hide system folders set by providers. Yahoo has a folder called Bulk Mail. Its good, appropriate and does a fine job. However, it would be nice not be forced to have that folder listed if you don’t want to see it. I understand the need for it to exist but why not be able to hide it away?
Otherwise, Thunderbird is fabulous! Promote its use to everyone and all constantly.
T Bird with G (yuk!) Mail and paid Mailbox.org (yes!), also playing with Claws. Use Email (that’s what it’s called) for android and free web based Proton Mail.
Closed some old gmail accounts and that silly google+ thing and will soon transfer everything out. Amazing the difference in spam comparing Mailbox and Proton to Gmail. I knew google promoted spam, but there’s almost none in the other services.
T Bird’s been a good client for over a decade, hope it continues on.
Javascript has been disabled for emails since TB3, it’s only enabled for RSS feeds. So unless you’re using it for RSS there’s no real need to disable it in config.
I hate what the internet has become.
You’ll love Internet as is is now when you’ll discover as it will be tomorrow.
The opposite of “I love you more than yesterday but less than tomorrow” : “Internet, listen to me. Are you listening to me? Here goes : I hate you more than yesterday but less than tomorrow” :=)
Message in a bottle …
https://portableapps.com/apps/internet/thunderbird_portable
Thanks allot Ilev,
Much appreciated!
Why would anyone use Thunderbird over mailbird, outlook.com or even em client?