Thunderbird 102.2.1 launches with necessary safety fixes

Thunderbird 102.2.1 is now out there. The brand new model of the open supply e mail consumer fixes a number of safety points in Thunderbird and contains different adjustments.

picture credit score: Thunderbird

The safety replace addresses a number of vulnerabilities which will overcome the built-in distant content material blocking mechanism.

Thunderbird 102.2.1 is already out there as an in-client replace and as a separate obtain from the official mission web site. Present customers might choose Assist > About Thunderbird to show the present model. This system runs an computerized examine for updates at this level to obtain and set up any new model that’s discovered through the examine.

Thunderbird 102.2.1

thunderbird 102.2.1

The official safety advisories web page lists 4 completely different safety points which are patched within the new e mail consumer model. One points is rated excessive, the opposite three are rated reasonable.

  • CVE-2022-3033: Leaking of delicate info when composing a response to an HTML e mail with a META refresh tag
  • CVE-2022-3032: Distant content material laid out in an HTML doc that was nested inside an iframe’s srcdoc attribute was not blocked
  • CVE-2022-3034: An iframe ingredient in an HTML e mail may set off a community request
  • CVE-2022-36059: Matrix SDK bundled with Thunderbird weak to denial-of-service assault

The safety situation rated excessive addresses the next situation. Emails that comprise a meta tag with the http-equiv=”refresh” and content material attribute specifying an URL, may bypass the distant content material block of the e-mail consumer when a consumer replied to those emails.

The attacker may abuse it to run JavaScript code in “the context of the message compose doc”, which allowed the menace actor to learn and modify the content material of the message compose doc; this might embrace the decrypted content material of an encrypted message, and this knowledge might be transferred to a different server.

See also  Ok-9 Mail (future Thunderbird for Android) provides OAuth 2.0 help

Two of the three remaining vulnerabilities deal with distant content material blocking bypass points as properly. The second vulnerability loaded distant objects in an HTML e mail that contained an iframe ingredient and used a srcdoc attribute to outline the internal HTML doc. Distant content material, corresponding to photographs or movies, might be loaded that approach from distant areas.

The third addresses a problem with HTML emails that specified to load an iframe from a distant location. The request was despatched however Thunderbird by no means displayed the doc.

The fourth vulnerability corrects a problem within the Matrix chat protocol, which may make Thunderbird weak to denial of service assaults.

Different adjustments

The official launch notes lists a number of non-security enhancements and fixes within the e mail consumer. The one new characteristic in Thunderbird 102.2.1 is the -calendar startup parameter to load the Calendar on begin of the e-mail consumer.

The one change shows a button now throughout account setup to attach robotically found deal with books and calendars.

Greater than a dozen fixes are listed. They deal with an entire vary of points, together with Pop e mail retrieval points after community errors and recoveries, points when exporting a profile, or points when updating mail quota colours.

Now you: Thunderbird 102, nonetheless the earlier model, or one thing else fully for emails?