Thunderbird 102.2.1 launches with important security fixes
Thunderbird 102.2.1 is now available. The new version of the open source email client fixes several security issues in Thunderbird and includes other changes.
The security update addresses several vulnerabilities that may overcome the built-in remote content blocking mechanism.
Thunderbird 102.2.1 is already available as an in-client update and as a separate download from the official project website. Existing users may select Help > About Thunderbird to display the current version. The program runs an automatic check for updates at this point to download and install any new version that is found during the check.
Thunderbird 102.2.1
The official security advisories page lists four different security issues that are patched in the new email client version. One issues is rated high, the other three are rated moderate.
- CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
- CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
- CVE-2022-3034: An iframe element in an HTML email could trigger a network request
- CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack
The security issue rated high addresses the following issue. Emails that contain a meta tag with the http-equiv="refresh" and content attribute specifying an URL, could bypass the remote content block of the email client when a user replied to these emails.
The attacker could abuse it to run JavaScript code in "the context of the message compose document", which allowed the threat actor to read and modify the content of the message compose document; this could include the decrypted content of an encrypted message, and this data could be transferred to another server.
Two of the three remaining vulnerabilities address remote content blocking bypass issues as well. The second vulnerability loaded remote objects in an HTML email that contained an iframe element and used a srcdoc attribute to define the inner HTML document. Remote content, such as images or videos, could be loaded that way from remote locations.
The third addresses an issue with HTML emails that specified to load an iframe from a remote location. The request was sent but Thunderbird never displayed the document.
The fourth vulnerability corrects an issue in the Matrix chat protocol, which could make Thunderbird vulnerable to denial of service attacks.
Other changes
The official release notes lists several non-security improvements and fixes in the email client. The only new feature in Thunderbird 102.2.1 is the -calendar startup parameter to load the Calendar on start of the email client.
The only change displays a button now during account setup to connect automatically discovered address books and calendars.
More than a dozen fixes are listed. They address a whole range of issues, including Pop email retrieval issues after network errors and recoveries, issues when exporting a profile, or issues when updating mail quota colors.
Now you: Thunderbird 102, still the previous version, or something else entirely for emails?
Owl,
Thank you….
I am using Aol mail ( was Verizon email). Now I keep getting message that the server does not support the suthentiaction method selected. All was working well begore this update. I probably need to have AOL generate a passcode. Should I use 0Auth2 or “normal password” as authentication method?
@Joe,
I am not using “AOL” and I am posting that Help below.
AOL Mail POP and IMAP settings – AOL Help
https://help.aol.com/articles/how-do-i-set-up-other-email-applications-to-send-and-receive-my-verizon-net-mail
For more information, please check the official Help.
AOL Mail – AOL Help
https://help.aol.com/products/aol-mail
Running 91.13.0.
Checked for updates, and it is offering 102.2.1
If you see [Update to 102.x], pressing the button will perform a “manual update”!
If you see [Restart Thunderbird to Update], it means “automatic update” notification!
In short, the display of [Update to 102.x] is just a notice that “You can update (upgrade) to 102.x”.
https://www.ghacks.net/2022/08/24/thunderbird-102-2-0-is-a-security-and-bug-fix-update/#comment-4546487
Bug 1786191: Folders with half-width Kana names are corrupted when updating to Thunderbird 102,” a bug reported on August 22, 2022, from the user forum (forums.mozillazine.jp), has also been fixed in Thunderbird 102.2 .1 has been fixed.
As it stands on the user forum, reports of issues in the major upgrade version “102” have finally subsided.
Thunderbird “91.x” is currently 91.13 and support will continue through September 20. After that, it will be migrated to a major upgrade version via automatic updates.
my linux repository latest package stop in version 91.13. there is not 102.2.1 update for ubuntu 18.04 lts.
Flatpaks are your friend.
Note,
The following 4 security patches in the article are all vulnerabilities specific to major upgrade “102”; they are not relevant for “91.x”.
1. CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
2. CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe’s srcdoc attribute was not blocked
3. CVE-2022-3034: An iframe element in an HTML email could trigger a network request
4. CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack
About the “automatic update” and “manual update” methods:
https://www.ghacks.net/2022/08/24/thunderbird-102-2-0-is-a-security-and-bug-fix-update/#comment-4546487
@hmroe: you can manually download the Thunderbird 102 package fro Linux and install it. Then set it to update automatically.
Wow, that’s quite an unfortunate oversight to not check if HTML emails reloading themselves, with a very common meta tag, have the same content blocking applied as initial loading of HTML emails.
Sounds like a flaw Cherry Ripe for phishing scumbags to use. Pretty much red carpet ride for those mongrels.
User: huh, did that email just blink [reload itself without visually changing because the nefarious phishing code is hidden] at me? Oh well, I’ll just go on and click this … anyway.
Thunderbird’s developers seem to be struggling in such a way that could be expected / excused (but not long term feasible to tolerate) if they were the tiny team they formerly were. But didn’t their fortunes see somewhat of a uplift of recent times? With more developers employed? Maybe going from a few people to half a dozen or whatnot is still far from enough to prevent this sort of oversight?
It’s one thing for hackers to identify relatively subtle / complex security holes like buffer overflows but this one sounds like a lack of cross checking.