Experts and specialists have found highly dangerous vulnerabilities in Thunderbird that are classified as highly dangerous according to CVSS with a value of 7,8. The CVE-2023-34416 and CVE-2023-34414 vulnerabilities contain a memory security flaw and allow clickjacking. An update to version 102.12 ends the danger.
The popular e-mail client Thunderbird has two vulnerabilities that are considered highly dangerous with a CVSS value of 7,8. The BSI has also communicated the security information under number WID-SEC-2023-1414. The bugs are easy to fix. An update to Thunderbird version 102.12 is sufficient. However, many users and companies have not changed the default setting for Thunderbird. There the update says “Check for updates, but ask before installing”. However, the reference to the update is often postponed. Updates should be installed automatically (at Extras/Settings/Updates).
Clickjacking and memory security bugs
Thunderbird error description:
CVE-2023-34414: Clickjacking certificate exceptions due to render delay
The error page for websites with invalid TLS certificates was missing the activation delay, which Thunderbird uses to protect prompts and permissions dialogs from attacks that exploit delays in human response time. If a malicious page tricked the user into clicking in certain places just before navigating to a website with a certificate error, while placing a heavy load on the renderer, there could be a gap between the error page loading and the actual display refresh. With proper timing, the clicks triggered could land in that gap and activate the button overriding the certificate error for that site.
CVE-2023-34416: Memory security bug
Mozilla developers and community members Gabriele Svelto, Andrew McCreight, the Mozilla Fuzzing Team, Sean Feng, and Sebastian Hengst have reported memory security bugs in Thunderbird 102.11. Some of these bugs showed signs of memory corruption, and we believe some of them could have been exploited with enough effort to execute arbitrary code.