In the current Thunderbird Advisory, the developers note that the misuse of the gaps in the email client is normally not possible because scripting is deactivated by default when reading an email. Nevertheless, they could pose a danger in browser like contexts. Regardless of these restrictions, users should play it safe and check whether Thunderbird is up to date.
2 Bug Errors That Damage Data Values
CVE-2020-6819 and CVE-2020-6820 are free bug errors that allow the description of released memory areas. This can lead to program crashes and unexpected data values or any code can be executed.
The new Thunderbird edition also brings new features and improvements, which mostly concern extensions. Add-ons are now updated automatically. Mail extensions can now access the raw data of a message. The function message can now mark mail as junk or no junk.
A Security Vulnerability Is Particularly Noticeable
If previously saved mailbox passwords were only saved with a master password after an update to the new version, an outdated password file was still found in the profile folder unsecured.
Version 68.6 also includes two bug fixes. On the one hand, a bug in the search of message texts in certain HTML emails was fixed. On the other hand, the retrieval of new emails now also works with accounts that use authentication. Two minor innovations are also available. A pop-up window now opens when a new profile is started and Thunderbird now offers partial updates, which leads to smaller downloads.
Overall, the security risk is considered critical. It can be assumed that all previous editions are threatened and all operating systems are affected.
In a warning message, Mozilla confirms that the vulnerabilities cannot be exploited by simply receiving an email. This is because scripting is turned off by default. Rather, it could be dangerous in a browser like context.