The Mozilla Foundation yesterday issued a security update for its Thunderbird open-source email client, fixing two critical vulnerabilities involving its IonMonkey JavaScript JIT (just-in-time) compiler.
The first of the two flaws, CVE-2019-9810, consists of incorrect alias information when using the Array.prototype.slice method, which could result in a missing bound check and buffer overflow. The second issue, CVE-2019-9813, is described as the mishandling of __proto__ mutations of, which can lead to type confusion in IonMonkey JIT code, allowing for arbitrary memory read and write.
Researchers Richard Zhu and Amat Cama of Trend Micro's Zero Day Initiative are credited with discovering the first vulnerability, while Niklas Baumstark, also with Trend Micro's Zero Day Initiative, found the second problem.
In its security advisory, Mozilla notes that these flaws generally "cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts." Nevertheless, version 60.6.1 of Thunderbird officially fixes both issues.