Thunderbird 68.4.1 is a security update
Thunderbird 68.4.1 was released a couple of days ago. The new version is a security update for the email client that patches a security vulnerability that is exploited in the wild as well as other security issues in the program.
Thunderbird users who are running a 68.x version of the email client should receive the update automatically provided that automatic updating has not been turned off in the client. A manual check for updates via Help > About Thunderbird in the client should pick up the new update right away so that it can be installed.
As far as security is concerned, Thunderbird 68.4.1 fixes a total of seven different security vulnerabilities; one of them rated critical, the highest severity rating, others high or moderate, the second and third highest severity rating available.
- CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
- CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
- CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
- CVE-2019-17017: Type Confusion in XPCVariant.cpp
- CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
- CVE-2019-17022: CSS sanitization does not escape HTML tags
- CVE-2019-17024: Memory safety bugs fixed in Thunderbird 68.4.1
The critical security vulnerability is the same that Mozilla patched earlier this month in Firefox. Since Thunderbird relies on Firefox code, it is often affected by issues that affect the web browser.
Thunderbird 68.4.1 comes with improvements in regards to setting up Microsoft Exchange servers. The development team lists better support for IMAP/SMTP, better detection of Office 365 accounts, and re-run configuration after password change.
The new version of the email client fixes five issues that were detected in previous versions of the application:
- Fixed an issue that prevented attachments with at least one space in the name to be opened under certain circumstances.
- Fixed an issue that showed garbled content in the message display pane after changing view layouts under certain circumstances.
- Fixed an issue that caused tags to be lost in shared IMAP folders under certain circumstances.
- Theme changes to "achieve 'pixel perfection'".
- Fixed the event attendee dialog in calendar.
Thunderbird users who run Thunderbird 68.x and have not updated yet to the new version are encouraged to do so right away to protect the client from attacks.
Now You: Which email client do you use currently and why?
I use Thunderbird 52 because it does everything that I need. After trying out more recent versions, I decided to stay on 52 because the newer versions brought incompatibilities and problems, and didn’t bring anything new that I needed.
The vulnerabilities listed here don’t affect me because (unless I’m mistaken), they’re all around JS and HTML interpretation/display, and I never allow HTML rendering or JS in emails.
Mr. Fenderson,
I think you are mistaken this time.
I usually don’t rush to install TB updates for the reason you mention, i.e., they are JS related which is disabled when reading email.
As noted here https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
However some of the vulnerabilities are being exploited now!!!
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
We are aware of targeted attacks in the wild abusing this flaw.
Of the 8 vulnerabilities, none are designated JS or HTML related. Two are CSS related, so if you feel comfortable with those, you still need to worry about the other 6.
I delayed upgrading to TB 68 as long as possible. By the time I updated to 68, many of the extensions were finally updated, and the ones that weren’t I can live without.
For others concerned about updating, I updated from 68.3.1 to 68.4.1 with no problems so far. I did make a backup first though.
@Anonymous:
CSS-related bugs don’t affect me in any way in my use case.
CVE-2019-17026 is a bug in the Javascript JIT compiler. I’m not allowing JS to execute at all, so this doesn’t affect me.
CVE-2019-17015 and CVE-2019-17021 could potentially affect me, I suppose, if they weren’t Windows-only.
CVE-2019-17017 and CVE-2019-17017 appear to only affect HTML-related things.
CVE-2019-17024 appears to have been introduced later than the version I’m using.
If my understanding is correct, none of the bugs fixed affect me. If I’m not correctly understanding, then I would dearly love for someone to correct me!
@John Fenderson, I don’t have a dog in the fight, but this sounds like the ostrich burying it’s head in the sand.
@Anonymous is telling you the vulnerability is being actively exploited RIGHT NOW.
I guess some people have to learn the hard way.
C’est la vie.
@notanon: “@Anonymous is telling you the vulnerability is being actively exploited RIGHT NOW. ”
Indeed. Not only did I understand what he was saying, I was already aware of that before he said it. No head-burying here. My eyes are wide open.
Thunderbird doesn’t work for me . Can’t send quickbooks quote with it for some reason.
I agree with Mr. Fenderson. I have locked down Thunderbird to v.52.9.1 in both Linux and Windows 10 for the same reasons: many of my key extensions would stop working if I were more current.
Does anyone know when v60 is being discontinued? I haven’t updated to v68 yet due to addon incompatibility and I’m dreading having to make the upgrade.
It’s great that we have a choice about upgrading.
TB 52.9.1 only has 69 vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-452/product_id-3678/version_id-266352/Mozilla-Thunderbird-52.9.1.html
I hate upgrading too, but internet facing applications present a greater risk if you don’t update.
@Anonymous: “I hate upgrading too, but internet facing applications present a greater risk if you don’t update.”
True. But in my case, anyway, the reason I won’t upgrade isn’t that I hate upgrading — it’s that the newer versions don’t do what I want. Should my version of TB actually becomes so dangerous that I am unwilling to use it, my only option will be to use a different mailreader.
There are precious few really excellent mailreaders around anymore, so I’m putting that off for as long as I can. I suspect that what will eventually happen is that I’ll have to write my own — which I should probably just go ahead an do, since a mailreader isn’t a very complex piece of software if you don’t care about rendering HTML.
@Anonymous, let him get infected, hacked, ransomwared.
No amount of rational exposition is going to change his mind until @John Fenderson gets hacked.
AFAIK, nothing’s wrong with Thunderbird, unless you don’t apply security updates (like @John Fenderson).
The fact that it hasn’t happened to him yet is merely confirmation bias on his part (or he’s part of a bot army, & doesn’t even know it yet).
@notanon, I think John Fenderson knows very well what he is doing.
@notanon: “or he’s part of a bot army, & doesn’t even know it yet”
My network is heavily locked down and monitored. Although not impossible, it is exceedingly unlikely that I could have a machine that has been botted and not notice it.
1. Disable HTML messages
2. Disable JavaScript
3. Use SSL
… … …
6. Disable the preview pane
7. Display All Headers
How To Make Thunderbird More Secure
https://www.ghacks.net/2012/01/21/how-to-make-thunderbird-more-secure/
Installed this yesterday, works fine. The only add ons I use are Compact Headers and a theme. I guess the calendar and notes thing count, too. What I do with email is very simple, Claws was fine for a while, decided to try the new TBird after a Windows Update wiped out my account by requiring a log in from an MS account whose password was, guess where, in my laptop, not on a sticky note on the refrigerator as MS likely thinks they should be. Could explain the constant stream of security vulnerabilites in their morbidly obese OS; an emergency critical vulnerability patch is supposed to be released tomorrow.
Is anyone at MS not absorbed by tinyworld in a phone all day, they’ve totally lost all touch with their customers, they work for themselves.
Fresh OS iso install, device is much more responsive now but I’m still reinstalling stuff. Fortunately, Most of my data was not on the boot drive.
Sooooo close to going Linux.
Ah, those bas***ds, they removed the option for “never check for updates”, so this thing phones home whenever its started and when I checked with a sniffer, there’s lots of data being exchanged both ways… Jeez, I hope the profile folder is still compatible with older versions, I’m gonna roll back to an earlier version.
Never mind… I found that I can still deactivate it using the “advanced config editor”. Still, I just hate when companies dumb down the UI or remove formerly user-accessible controls and offer no choice but what **they** want for the end user. Hum… sounds like the Microsoft plan.
I am still stuck on Thunderbird 68.2.2 on Ubuntu 18.04. I missed version 68.3, and now it looks like I will miss 68.4.1. I wish that Canonical were more on the ball with these updates, since they vet them. Even some the snaps which I hate, but I install to stay current, are not updated.
I installed Thunderbird 68.4.1 today (Jan. 16). It’s been a while, but better late than never, I guess :). (Ubuntu 18.04).
I updated Thunderbird from v60 to v68 (32 bit)
Previously, when launching Thunderbird, automatically new messages were searched.
With v68 this does not work anymore. After launching, I have to press “get messages” before searching starts.
Very annoying. I rolled back to v60.
There are currently NO confirmed “check for new mail” bugs in Thunderbird code when updating to 68. The most common issues are:
1. caused by Kasperskey and other antivirus
2. situations where your default mail account is set to “Local Folders” https://bugzilla.mozilla.org/show_bug.cgi?id=1584861#c15
I wonder why it even comes with JS enabled. Not that Thunderbird is alone in this, not just that all the webmails I’ve used are as vulnerable but Thunderbird is one of the few clients that even lets you turn off this sorry feature – but who the hell has use for running JavaScript in an e-mail?
@John Fenderson: Can I disable (‎true → false) all javascript values or only certain?
Examples:
javascript.options.ion
javascript.options.wasm
javascript.options.asmjs
javascript.enabled
Wayne: thanks for the Ref. Defining one of my email accounts as the default, solved the problem.
v68 is now running.
I updated today and I’m going to roll back. I’m old-fashioned and I prefer the MS Office theme to the flat black and white. It’s easier on my old eyes.