====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN482
_____________________________________________________________________

DATE                : 31/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Mozilla Thunderbird versions prior
                                       to 78.2, 68.12.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2020-41/
https://www.mozilla.org/en-US/security/advisories/mfsa2020-40/
_____________________________________________________________________


Mozilla Foundation Security Advisory 2020-41
Security Vulnerabilities fixed in Thunderbird 78.2

Announced      August 25, 2020
Impact         high
Products      Thunderbird
Fixed in
        Thunderbird 78.2

In general, these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled when reading mail, but
are potentially risks in browser or browser-like contexts.

#CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service
could have resulted in escalation of privilege

Reporter       Xiaoyin Liu
Impact         high

Description

If Thunderbird is installed to a user-writable directory, the Mozilla
Maintenance Service would execute updater.exe from the install location
with system privileges. Although the Mozilla Maintenance Service does
ensure that updater.exe is signed by Mozilla, the version could have
been rolled back to a previous version which would have allowed
exploitation of an older bug and arbitrary code execution with System
Privileges.
Note: This issue only affected Windows operating systems. Other
operating systems are unaffected.

References

    Bug 1643199


#CVE-2020-15664: Attacker-induced prompt for extension installation

Reporter    Kaizer Soze
Impact      high

Description

By holding a reference to the eval() function from an about:blank
window, a malicious webpage could have gained access to the
InstallTrigger object which would allow them to prompt the user to
install an extension. Combined with user confusion, this could result in
an unintended or malicious extension being installed.

References

    Bug 1658214


#CVE-2020-15670: Memory safety bugs fixed in Thunderbird 78.2

Reporter     Mozilla developers and community
Impact       high

Description

Mozilla developers Jason Kratzer, Christian Holler, Byron Campen, Tyson
Smith reported memory safety bugs present in Thunderbird 78.1. Some of
these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary
code.

References

    Memory safety bugs fixed in Thunderbird 78.2


_____________________________________________________________________


Mozilla Foundation Security Advisory 2020-40
Security Vulnerabilities fixed in Thunderbird 68.12

Announced    August 25, 2020
Impact       high
Products    Thunderbird
Fixed in
        Thunderbird 68.12

In general, these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled when reading mail, but
are potentially risks in browser or browser-like contexts.

#CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service
could have resulted in escalation of privilege

Reporter    Xiaoyin Liu
Impact      high

Description

If Thunderbird is installed to a user-writable directory, the Mozilla
Maintenance Service would execute updater.exe from the install location
with system privileges. Although the Mozilla Maintenance Service does
ensure that updater.exe is signed by Mozilla, the version could have
been rolled back to a previous version which would have allowed
exploitation of an older bug and arbitrary code execution with System
Privileges.
Note: This issue only affected Windows operating systems. Other
operating systems are unaffected.
References

    Bug 1643199


#CVE-2020-15664: Attacker-induced prompt for extension installation

Reporter    Kaizer Soze
Impact      high

Description

By holding a reference to the eval() function from an about:blank
window, a malicious webpage could have gained access to the
InstallTrigger object which would allow them to prompt the user to
install an extension. Combined with user confusion, this could result in
an unintended or malicious extension being installed.

References

    Bug 1658214


#CVE-2020-15669: Use-After-Free when aborting an operation

Reporter    Jason Kratzer
Impact      high

Description

When aborting an operation, such as a fetch, an abort signal may be
deleted while alerting the objects to be notified. This results in a
use-after-free and we presume that with enough effort it could have been
exploited to run arbitrary code.

References

    Bug 1656957



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================