Thunderbird 52.8.0 security update released
Thunderbird 52.8.0 is a new version of the popular cross-platform email client that fixes several security vulnerabilities in the email client.
Existing Thunderbird users can run a check for updates from within the client; to do that, tap on the Alt-key on the keyboard and select Help > About Thunderbird.
The update check should pick up the new version 52.8.0 so that it is downloaded to the local system and installed.
Thunderbird 52.8.0 is available as a standalone download from the official project website as well. You may use the installer to upgrade existing installations of the email client or install it anew on a supported system.
Thunderbird 52.8.0
The release notes highlight changes and issues. Thunderbird 52.8.0 is a security update for the email client that fixes several security issues. Several security issues received the highest impact rating of critical.
Thunderbird 52.8.0 protects emails against some exploits of EFAIL, a recently disclosed attack against OpenPGP and S/Mime. Attackers may use EFAIL attacks to retrieve the actual text of encrypted messages provided that they managed to get hold of the encrypted email and that the target runs a vulnerable client.
The team plans to publish Thunderbird 52.8.1 to fix the issue completely in Thunderbird. Check out the descriptions for the vulnerabilities CVE-2018-5184 and CVE-2018-5162 for additional details.
The following issues are fixed in the new Thunderbird version:
- CVE-2018-5183: Backport critical security fixes in Skia
- CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
- CVE-2018-5154: Use-after-free with SVG animations and clip paths
- CVE-2018-5155: Use-after-free with SVG animations and text paths
- CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
- CVE-2018-5161: Hang via malformed headers
- CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
- CVE-2018-5170: Filename spoofing for external attachments
- CVE-2018-5168: Lightweight themes can be installed without user interaction
- CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update
- CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
- CVE-2018-5185: Leaking plaintext through HTML forms
- CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and Thunderbird 52.8
Closing Words
Thunderbird 52.8.0 is a security update for the email client that addresses two critical security issues and several rated as high. Thunderbird users should consider upgrading the client to the new version as soon as possible.
Those who use OpenPGP or S/Mime should install the patch asap; it is still recommended to block remote content in Thunderbird to block attacks.
Now You: Which email software do you run?
Previous Post: « OpenPGP and S/Mime vulnerability EFAIL discovered
Next Post: Add domain and icon to Gmail's email listings »
Thanks a lot for the heads-up and the tips regarding the security settings!
Thanks, Martin.
“Which email software do you run?”
Thunderbird 52.8.0. :)
Martin dumbing down those questions
Thanks for the reminder. Now Thunderbird is uptodate.
When the 60 will be released, and what about the 64 bits ?
I’m using version 3.1.20 on Windows 10
Should I update? ;)
I never cared for Thunderbird past the 2x releases. I love it back then. But the new indexing in v3 and beyond seemed to slow things down. Maybe I should give ‘er another chance after all of these years.
:)
Just updated to 52.8.0 , but now I keep getting notices that I have new messages but they are not visible unless I go into Folder Properties and follow prompts to repair the folder. What’s up? How can I stop this? It wasn’t like this before the update.