With the release of Thunderbird 52.9, developers have been able to fix a number of critical security flaws and therefore users are being urged to upgrade in order to ensure that they don’t fall afoul of any of these vulnerabilities. Since Thunderbird disables scripting when reading mail, it usually can’t suffer from most of these. However, there are potential risks in browser-like controls that are worrisome enough that the organization dedicated a great deal of time to making sure none of these issues could get found in the wild.
Buffer overflows are always some of the more concerning vulnerabilities, and exploits of error #CVE-2018-12359 would have relied on this very technique to seize control of the email client. Overflows could theoretically happen when rendering canvas modules when the height and width of a canvas element were moved dynamically.
If this happened, then data could be written outside of normal memory boundaries and might allow for arbitrary code execution. ‘12359 has been fixed in version 52.9, which is probably reason enough for most users to upgrade.
The other major vulnerability, #CVE-2018-12360, could have hypothetically occurred when an input element got deleted at certain times. This would usually have had to exploit the method used by mutation event handlers that get triggered when one element is focused.
While it’s relatively unlikely that ‘12360 could have happened in the wild, the possibility for arbitrary code execution was high enough that no one wanted to risk something happening. As a result, this error has also been patched along with one involving CSS elements and another involving a plaintext leak from decrypted emails.
Users who want to upgrade to the latest version and thus take advantage of these bugfixes won’t have to worry about much in the way of system requirements. The Windows version works with installations as old as Windows XP and Windows Server 2003.
Mac users can run 52.9 on OS X Mavericks or newer, and almost everyone using a modern GNU/Linux distribution should be able to upgrade as the only notable dependency is GTK+ 3.4 or higher. These users may find that the new version is in their repositories soon enough anyway.