Thunderbird 102.2.1 launches with important security fixes

Martin Brinkmann
Sep 1, 2022
Thunderbird
|
11

Thunderbird 102.2.1 is now available. The new version of the open source email client fixes several security issues in Thunderbird and includes other changes.

thunderbird 102
image credit: Thunderbird

The security update addresses several vulnerabilities that may overcome the built-in remote content blocking mechanism.

Thunderbird 102.2.1 is already available as an in-client update and as a separate download from the official project website. Existing users may select Help > About Thunderbird to display the current version. The program runs an automatic check for updates at this point to download and install any new version that is found during the check.

Thunderbird 102.2.1

thunderbird 102.2.1

ADVERTISEMENT

The official security advisories page lists four different security issues that are patched in the new email client version. One issues is rated high, the other three are rated moderate.

  • CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
  • CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
  • CVE-2022-3034: An iframe element in an HTML email could trigger a network request
  • CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack

The security issue rated high addresses the following issue. Emails that contain a meta tag with the http-equiv="refresh" and content attribute specifying an URL, could bypass the remote content block of the email client when a user replied to these emails.

The attacker could abuse it to run JavaScript code in "the context of the message compose document", which allowed the threat actor to read and modify the content of the message compose document; this could include the decrypted content of an encrypted message, and this data could be transferred to another server.

Two of the three remaining vulnerabilities address remote content blocking bypass issues as well. The second vulnerability loaded remote objects in an HTML email that contained an iframe element and used a srcdoc attribute to define the inner HTML document. Remote content, such as images or videos, could be loaded that way from remote locations.

The third addresses an issue with HTML emails that specified to load an iframe from a remote location. The request was sent but Thunderbird never displayed the document.

The fourth vulnerability corrects an issue in the Matrix chat protocol, which could make Thunderbird vulnerable to denial of service attacks.

Other changes

The official release notes lists several non-security improvements and fixes in the email client. The only new feature in Thunderbird 102.2.1 is the -calendar startup parameter to load the Calendar on start of the email client.

The only change displays a button now during account setup to connect automatically discovered address books and calendars.

More than a dozen fixes are listed. They address a whole range of issues, including Pop email retrieval issues after network errors and recoveries, issues when exporting a profile, or issues when updating mail quota colors.

Now you: Thunderbird 102, still the previous version, or something else entirely for emails?

Summary
Thunderbird 102.2.1 launches with important security fixes
Article Name
Thunderbird 102.2.1 launches with important security fixes
Description
Thunderbird 102.2.1 is now available. The new version of the open source email client fixes several security issues.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. pd said on September 1, 2022 at 4:07 pm
    Reply

    Wow, that’s quite an unfortunate oversight to not check if HTML emails reloading themselves, with a very common meta tag, have the same content blocking applied as initial loading of HTML emails.

    Sounds like a flaw Cherry Ripe for phishing scumbags to use. Pretty much red carpet ride for those mongrels.

    User: huh, did that email just blink [reload itself without visually changing because the nefarious phishing code is hidden] at me? Oh well, I’ll just go on and click this … anyway.

    Thunderbird’s developers seem to be struggling in such a way that could be expected / excused (but not long term feasible to tolerate) if they were the tiny team they formerly were. But didn’t their fortunes see somewhat of a uplift of recent times? With more developers employed? Maybe going from a few people to half a dozen or whatnot is still far from enough to prevent this sort of oversight?

    It’s one thing for hackers to identify relatively subtle / complex security holes like buffer overflows but this one sounds like a lack of cross checking.

  2. hrmroe said on September 1, 2022 at 9:47 pm
    Reply

    my linux repository latest package stop in version 91.13. there is not 102.2.1 update for ubuntu 18.04 lts.

    1. Klaas Vaak said on September 2, 2022 at 6:47 am
      Reply

      @hmroe: you can manually download the Thunderbird 102 package fro Linux and install it. Then set it to update automatically.

    2. owl said on September 2, 2022 at 8:24 am
      Reply

      Note,
      The following 4 security patches in the article are all vulnerabilities specific to major upgrade “102”; they are not relevant for “91.x”.
      1. CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
      2. CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe’s srcdoc attribute was not blocked
      3. CVE-2022-3034: An iframe element in an HTML email could trigger a network request
      4. CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack

      About the “automatic update” and “manual update” methods:
      https://www.ghacks.net/2022/08/24/thunderbird-102-2-0-is-a-security-and-bug-fix-update/#comment-4546487

    3. ShintoPlasm said on September 2, 2022 at 12:37 pm
      Reply

      Flatpaks are your friend.

  3. owl said on September 2, 2022 at 4:56 am
    Reply

    Bug 1786191: Folders with half-width Kana names are corrupted when updating to Thunderbird 102,” a bug reported on August 22, 2022, from the user forum (forums.mozillazine.jp), has also been fixed in Thunderbird 102.2 .1 has been fixed.
    As it stands on the user forum, reports of issues in the major upgrade version “102” have finally subsided.

    Thunderbird “91.x” is currently 91.13 and support will continue through September 20. After that, it will be migrated to a major upgrade version via automatic updates.

  4. Anonymous said on September 2, 2022 at 6:59 am
    Reply

    Running 91.13.0.
    Checked for updates, and it is offering 102.2.1

    1. owl said on September 2, 2022 at 9:22 am
      Reply

      If you see [Update to 102.x], pressing the button will perform a “manual update”!
      If you see [Restart Thunderbird to Update], it means “automatic update” notification!
      In short, the display of [Update to 102.x] is just a notice that “You can update (upgrade) to 102.x”.
      https://www.ghacks.net/2022/08/24/thunderbird-102-2-0-is-a-security-and-bug-fix-update/#comment-4546487

  5. Joe said on September 3, 2022 at 7:25 pm
    Reply

    I am using Aol mail ( was Verizon email). Now I keep getting message that the server does not support the suthentiaction method selected. All was working well begore this update. I probably need to have AOL generate a passcode. Should I use 0Auth2 or “normal password” as authentication method?

    1. owl said on September 4, 2022 at 1:08 am
      Reply

      @Joe,

      I am not using “AOL” and I am posting that Help below.
      AOL Mail POP and IMAP settings – AOL Help
      https://help.aol.com/articles/how-do-i-set-up-other-email-applications-to-send-and-receive-my-verizon-net-mail
      For more information, please check the official Help.
      AOL Mail – AOL Help
      https://help.aol.com/products/aol-mail

  6. Joe said on September 4, 2022 at 6:43 pm
    Reply

    Owl,

    Thank you….

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.