Mozilla has released a new version of the Thunderbird email app, and this time the changelog points to a super-important fix that brings the client back to working condition.
First and foremost, some background.
As we all know already, Mozilla Thunderbird is one of the best email apps currently around, and if you ask me, it’s one of the best alternatives to Microsoft Outlook right now.
But the simple thing that it’s available with a freeware license makes Thunderbird the go-to app for so many users out there, and it happens for a good reason. The feature lineup is absolutely impressive, and Mozilla keeps improving it with every new release.
The most recent update shipped to Mozilla Thunderbird users is version 78.3.1, and as the parent company itself explains, there’s just one important fix in this release.
It’s a fix that resolves crashes reported in Thunderbird 78.3.0, an update that was released only a few days before. So this new build is more of an emergency patch that deals with the whole thing and thus brings Thunderbird back to fully working condition.
Other than that, Mozilla Thunderbird version 78.3.1 comes with all the improvements included in its predecessor, so let’s have a look at what’s included in version 78.3.0 too.
There are no new features in this update, but only changes and fixes.
First and foremost, the OpenPGP implementation is getting more refinements, and Mozilla says this update brings improved decryption performance with large messages, and the UI to hide the external key is now disabled by preference.
These are the OpenPGP improvements available in this update, as per the official changelog:
- OpenPGP: Improved decryption performance with large messages
- OpenPGP: Do not show external key UI when disabled by preference
- Selecting “Cancel” on the Master Password prompt at startup incorrectly reported corrupted OpenPGP data
- OpenPGP: Creating a new key pair did not automatically select it for use
Then, the update also includes a change for MailExtensions. Beginning with this update, the installation of legacy MailExtensions is disabled, according to the official changelog.
Mozilla Thunderbird 78.3 also comes with the following security fixes:
- CVE-2020-15673: Memory safety bugs fixed in Thunderbird 78.3
- CVE-2020-15678: When recursing through layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free scenario
- CVE-2020-15676: XSS when pasting attacker-controlled data into a contenteditable element
- CVE-2020-15677: Download origin spoofing via redirect
Out of these vulnerabilities, only the memory safety bugs have been flagged with a high severity rating. These problems have been discovered and reported by a Mozilla developer, and the parent company explains that in the worst-case scenario, an attacker abusing the vulnerabilities could get access to run arbitrary code on devices where an unpatched version of Mozilla Thunderbird is running.
“Mozilla developer Jason Kratzer reported memory safety bugs present in Thunderbird 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla says.
However, Mozilla says that exploiting these vulnerabilities with a malicious email isn’t possible because of the way Thunderbird is configured right now. Mozilla explains:
“In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.”
Needless to say, Thunderbird users are recommended to update to the latest release as soon as possible, not only because it brings the latest improvements, but also because of these security fixes. The new version of the email app is available on all supported platforms, and these include Linux, Windows, and macOS.