Using Thunderbird? Update if you haven’t already
If you’re using Thunderbird for your email needs, make sure you’re on version 52.5.2. Mozilla recently released the new version, which has patches that squash a handful of bugs.
The bug, rated critical by the Mozilla Foundation, is CVE-2017-7845, which is a buffer overflow vulnerability affecting only Windows users. “A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content,” Mozilla said in its security advisory. “This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash.”
Two of the bugs are rated “high” in severity. CVE-2017-7846 is a JavaScript exploit affecting Thunderbird’s RSS reader capabilities. The second, CVE-2017-7847, is a CSS bug that could potentially allow an attacker to discover user data, like a user name.
Thunderbird continues to dwell in the Mozilla Foundation home, as the latter decided to let it stick around earlier this year after threatening in late 2015 to kick it out. At issue was the amount of time and money spent on maintaining the email client, which Mozilla said was “a tax” on its more important Firefox development. Many fans of the venerable email client were upset at the prospect of Thunderbird development no longer being supported by Mozilla, but a split was avoided when Thunderbird developers and users made donations to fund development and server costs themselves.
https://arstechnica.com/?p=1237511