Thunderbird 68.4.1 is a security update

Martin Brinkmann
Jan 13, 2020
Updated • Jan 13, 2020
Email, Thunderbird
|
25

Thunderbird 68.4.1 was released a couple of days ago. The new version is a security update for the email client that patches a security vulnerability that is exploited in the wild as well as other security issues in the program.

Thunderbird users who are running a 68.x version of the email client should receive the update automatically provided that automatic updating has not been turned off in the client. A manual check for updates via Help > About Thunderbird in the client should pick up the new update right away so that it can be installed.

As far as security is concerned, Thunderbird 68.4.1 fixes a total of seven different security vulnerabilities; one of them rated critical, the highest severity rating, others high or moderate, the second and third highest severity rating available.

  1. CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
  2. CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
  3. CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
  4. CVE-2019-17017: Type Confusion in XPCVariant.cpp
  5. CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
  6. CVE-2019-17022: CSS sanitization does not escape HTML tags
  7. CVE-2019-17024: Memory safety bugs fixed in Thunderbird 68.4.1

The critical security vulnerability is the same that Mozilla patched earlier this month in Firefox. Since Thunderbird relies on Firefox code, it is often affected by issues that affect the web browser.

Thunderbird 68.4.1 comes with improvements in regards to setting up Microsoft Exchange servers. The development team lists better support for IMAP/SMTP, better detection of Office 365 accounts, and re-run configuration after password change.

The new version of the email client fixes five issues that were detected in previous versions of the application:

  • Fixed an issue that prevented attachments with at least one space in the name to be opened under certain circumstances.
  • Fixed an issue that showed garbled content in the message display pane after changing view layouts under certain circumstances.
  • Fixed an issue that caused tags to be lost in shared IMAP folders under certain circumstances.
  • Theme changes to "achieve 'pixel perfection'".
  • Fixed the event attendee dialog in calendar.

Thunderbird users who run Thunderbird 68.x and have not updated yet to the new version are encouraged to do so right away to protect the client from attacks.

Now You: Which email client do you use currently and why?

Summary
Thunderbird 68.4.1 is a security update
Article Name
Thunderbird 68.4.1 is a security update
Description
Thunderbird 68.4.1 was released a couple of days ago. The new version is a security update for the email client that patches a critical security vulnerability.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. SueS said on January 24, 2020 at 10:20 pm
    Reply

    I updated today and I’m going to roll back. I’m old-fashioned and I prefer the MS Office theme to the flat black and white. It’s easier on my old eyes.

  2. boudeman said on January 17, 2020 at 12:27 pm
    Reply

    Wayne: thanks for the Ref. Defining one of my email accounts as the default, solved the problem.
    v68 is now running.

  3. Anonymous said on January 16, 2020 at 11:11 pm
    Reply

    @John Fenderson: Can I disable (‎true → false) all javascript values or only certain?

    Examples:
    javascript.options.ion
    javascript.options.wasm
    javascript.options.asmjs
    javascript.enabled

  4. The_Punisher said on January 16, 2020 at 9:55 pm
    Reply

    I wonder why it even comes with JS enabled. Not that Thunderbird is alone in this, not just that all the webmails I’ve used are as vulnerable but Thunderbird is one of the few clients that even lets you turn off this sorry feature – but who the hell has use for running JavaScript in an e-mail?

  5. boudeman said on January 15, 2020 at 12:38 pm
    Reply

    I updated Thunderbird from v60 to v68 (32 bit)
    Previously, when launching Thunderbird, automatically new messages were searched.
    With v68 this does not work anymore. After launching, I have to press “get messages” before searching starts.
    Very annoying. I rolled back to v60.

    1. Wayne said on January 16, 2020 at 3:53 pm
      Reply

      There are currently NO confirmed “check for new mail” bugs in Thunderbird code when updating to 68. The most common issues are:
      1. caused by Kasperskey and other antivirus
      2. situations where your default mail account is set to “Local Folders” https://bugzilla.mozilla.org/show_bug.cgi?id=1584861#c15

  6. Anonymous said on January 14, 2020 at 7:23 pm
    Reply

    I am still stuck on Thunderbird 68.2.2 on Ubuntu 18.04. I missed version 68.3, and now it looks like I will miss 68.4.1. I wish that Canonical were more on the ball with these updates, since they vet them. Even some the snaps which I hate, but I install to stay current, are not updated.

    1. Anonymous said on January 16, 2020 at 9:52 pm
      Reply

      I installed Thunderbird 68.4.1 today (Jan. 16). It’s been a while, but better late than never, I guess :). (Ubuntu 18.04).

  7. John in Mtl said on January 14, 2020 at 4:22 am
    Reply

    Ah, those bas***ds, they removed the option for “never check for updates”, so this thing phones home whenever its started and when I checked with a sniffer, there’s lots of data being exchanged both ways… Jeez, I hope the profile folder is still compatible with older versions, I’m gonna roll back to an earlier version.

    1. John in Mtl said on January 14, 2020 at 4:31 pm
      Reply

      Never mind… I found that I can still deactivate it using the “advanced config editor”. Still, I just hate when companies dumb down the UI or remove formerly user-accessible controls and offer no choice but what **they** want for the end user. Hum… sounds like the Microsoft plan.

  8. ULBoom said on January 14, 2020 at 1:43 am
    Reply

    Installed this yesterday, works fine. The only add ons I use are Compact Headers and a theme. I guess the calendar and notes thing count, too. What I do with email is very simple, Claws was fine for a while, decided to try the new TBird after a Windows Update wiped out my account by requiring a log in from an MS account whose password was, guess where, in my laptop, not on a sticky note on the refrigerator as MS likely thinks they should be. Could explain the constant stream of security vulnerabilites in their morbidly obese OS; an emergency critical vulnerability patch is supposed to be released tomorrow.

    Is anyone at MS not absorbed by tinyworld in a phone all day, they’ve totally lost all touch with their customers, they work for themselves.

    Fresh OS iso install, device is much more responsive now but I’m still reinstalling stuff. Fortunately, Most of my data was not on the boot drive.

    Sooooo close to going Linux.

  9. Anonymous said on January 13, 2020 at 8:15 pm
    Reply

    It’s great that we have a choice about upgrading.

    TB 52.9.1 only has 69 vulnerabilities https://www.cvedetails.com/vulnerability-list/vendor_id-452/product_id-3678/version_id-266352/Mozilla-Thunderbird-52.9.1.html

    I hate upgrading too, but internet facing applications present a greater risk if you don’t update.

    1. notanon said on January 14, 2020 at 1:38 am
      Reply

      @Anonymous, let him get infected, hacked, ransomwared.

      No amount of rational exposition is going to change his mind until @John Fenderson gets hacked.

      AFAIK, nothing’s wrong with Thunderbird, unless you don’t apply security updates (like @John Fenderson).

      The fact that it hasn’t happened to him yet is merely confirmation bias on his part (or he’s part of a bot army, & doesn’t even know it yet).

      1. John Fenderson said on January 14, 2020 at 5:17 pm
        Reply

        @notanon: “or he’s part of a bot army, & doesn’t even know it yet”

        My network is heavily locked down and monitored. Although not impossible, it is exceedingly unlikely that I could have a machine that has been botted and not notice it.

      2. nonaton said on January 16, 2020 at 9:59 am
        Reply

        1. Disable HTML messages
        2. Disable JavaScript
        3. Use SSL
        … … …
        6. Disable the preview pane
        7. Display All Headers

        How To Make Thunderbird More Secure
        https://www.ghacks.net/2012/01/21/how-to-make-thunderbird-more-secure/

      3. nonaton said on January 14, 2020 at 1:14 pm
        Reply

        @notanon, I think John Fenderson knows very well what he is doing.

    2. John Fenderson said on January 13, 2020 at 8:53 pm
      Reply

      @Anonymous: “I hate upgrading too, but internet facing applications present a greater risk if you don’t update.”

      True. But in my case, anyway, the reason I won’t upgrade isn’t that I hate upgrading — it’s that the newer versions don’t do what I want. Should my version of TB actually becomes so dangerous that I am unwilling to use it, my only option will be to use a different mailreader.

      There are precious few really excellent mailreaders around anymore, so I’m putting that off for as long as I can. I suspect that what will eventually happen is that I’ll have to write my own — which I should probably just go ahead an do, since a mailreader isn’t a very complex piece of software if you don’t care about rendering HTML.

  10. Ray said on January 13, 2020 at 6:55 pm
    Reply

    Does anyone know when v60 is being discontinued? I haven’t updated to v68 yet due to addon incompatibility and I’m dreading having to make the upgrade.

  11. RAC2010 said on January 13, 2020 at 6:38 pm
    Reply

    I agree with Mr. Fenderson. I have locked down Thunderbird to v.52.9.1 in both Linux and Windows 10 for the same reasons: many of my key extensions would stop working if I were more current.

  12. John Fenderson said on January 13, 2020 at 5:43 pm
    Reply

    I use Thunderbird 52 because it does everything that I need. After trying out more recent versions, I decided to stay on 52 because the newer versions brought incompatibilities and problems, and didn’t bring anything new that I needed.

    The vulnerabilities listed here don’t affect me because (unless I’m mistaken), they’re all around JS and HTML interpretation/display, and I never allow HTML rendering or JS in emails.

    1. Anonymous said on January 13, 2020 at 6:28 pm
      Reply

      Mr. Fenderson,
      I think you are mistaken this time.

      I usually don’t rush to install TB updates for the reason you mention, i.e., they are JS related which is disabled when reading email.
      As noted here https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/
      In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

      However some of the vulnerabilities are being exploited now!!!

      CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement

      We are aware of targeted attacks in the wild abusing this flaw.

      Of the 8 vulnerabilities, none are designated JS or HTML related. Two are CSS related, so if you feel comfortable with those, you still need to worry about the other 6.

      I delayed upgrading to TB 68 as long as possible. By the time I updated to 68, many of the extensions were finally updated, and the ones that weren’t I can live without.

      For others concerned about updating, I updated from 68.3.1 to 68.4.1 with no problems so far. I did make a backup first though.

      1. Bernard Miron said on January 13, 2020 at 11:35 pm
        Reply

        Thunderbird doesn’t work for me . Can’t send quickbooks quote with it for some reason.

      2. John Fenderson said on January 13, 2020 at 6:52 pm
        Reply

        @Anonymous:

        CSS-related bugs don’t affect me in any way in my use case.

        CVE-2019-17026 is a bug in the Javascript JIT compiler. I’m not allowing JS to execute at all, so this doesn’t affect me.

        CVE-2019-17015 and CVE-2019-17021 could potentially affect me, I suppose, if they weren’t Windows-only.

        CVE-2019-17017 and CVE-2019-17017 appear to only affect HTML-related things.

        CVE-2019-17024 appears to have been introduced later than the version I’m using.

        If my understanding is correct, none of the bugs fixed affect me. If I’m not correctly understanding, then I would dearly love for someone to correct me!

      3. notanon said on January 14, 2020 at 1:32 am
        Reply

        @John Fenderson, I don’t have a dog in the fight, but this sounds like the ostrich burying it’s head in the sand.

        @Anonymous is telling you the vulnerability is being actively exploited RIGHT NOW.

        I guess some people have to learn the hard way.

        C’est la vie.

      4. John Fenderson said on January 14, 2020 at 5:15 pm
        Reply

        @notanon: “@Anonymous is telling you the vulnerability is being actively exploited RIGHT NOW. ”

        Indeed. Not only did I understand what he was saying, I was already aware of that before he said it. No head-burying here. My eyes are wide open.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.