In the email client Thunderbird are three security holes. Two of them are considered critical, the developers warn. The emergency team of the BSI CERT Bund classifies the risk as “very high”.
The issues should be found in all Thunderbird versions under Linux, macOS and Windows. Issue 52.5 is secured. Since the scripting in the mail client is disabled by default, an attack should not be initiated via e-mail.
If attackers attack the two critical vulnerabilities, they should be able to provoke memory errors remotely without authentication – including user-after-free – and thus be able to execute malicious code.
The third vulnerability with the threat level “high” could exploit attackers as an entry point to extract information.
An update to the new version 52.5 should therefore be carried out as swiftly as possible.