Network Security, Patch/Configuration Management, Vulnerability Management

Mozilla plugs two critical security holes in Thunderbird

March 27, 2019

The Mozilla Foundation yesterday issued a security update for its Thunderbird open-source email client, fixing two critical vulnerabilities involving its IonMonkey JavaScript JIT (just-in-time) compiler.

The first of the two flaws, CVE-2019-9810, consists of incorrect alias information when using the Array.prototype.slice method, which could result in a missing bound check and buffer overflow. The second issue, CVE-2019-9813, is described as the mishandling of __proto__ mutations of, which can lead to type confusion in IonMonkey JIT code, allowing for arbitrary memory read and write.

Researchers Richard Zhu and Amat Cama of Trend Micro's Zero Day Initiative are credited with discovering the first vulnerability, while Niklas Baumstark, also with Trend Micro's Zero Day Initiative, found the second problem.

In its security advisory, Mozilla notes that these flaws generally "cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts." Nevertheless, version 60.6.1 of Thunderbird officially fixes both issues.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Learn More

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Vulnerability Management

Ivanti fixes 4 critical flaws, including CVSS 9.9 in Connect Secure

Laura FrenchFebruary 12, 2025

The flaws could enable remote code execution or arbitrary file writing and should be patched immediately.

Critical SonicWall SMA1000 bug patched amid active exploitation. (SonicWall)

Network Security

Addressed high-severity SonicWall firewall bug poses VPN hijacking threat

SC StaffFebruary 12, 2025

Potential intrusions commence with the delivery of a specially crafted session cookie with a base64-encoded null bytes string to the '/cgi-bin/sslvpnclient' SSL VPN authentication endpoint, prompting an improper session validation that logs out firewall users and enables attacker session hijacking, a report from Bishop Fox revealed.

Network Security

The blueprint for cyber resilience: How businesses can adapt and thrive

SC StaffFebruary 12, 2025

LevelBlue's Theresa Lanowitz discusses what cyber resilience is and the path to get there.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

Mozilla plugs two critical security holes in Thunderbird

An In-Depth Guide to Network Security

Related

Ivanti fixes 4 critical flaws, including CVSS 9.9 in Connect Secure

Addressed high-severity SonicWall firewall bug poses VPN hijacking threat

The blueprint for cyber resilience: How businesses can adapt and thrive

Related Events

Your Network is Gone: How to Secure What’s Left in the New Era of Cloud and Remote Work

Building Modern Network security: Forecast and guidance: Late 2024, early 2025

The Security Experts Next Door: Enterprise Defense on a Lean Budget

Get daily email updates