Thunderbird 68.9.0 fixes 5 high impact security issues

Claudiu Andone
by Claudiu Andone
0 Comments
Download PDF
Affiliate Disclosure

  • The Thunderbird development team has released the stable version of Thunderbird 68.9.0 to the general public.
  • If you already have Thunderbird installed, you should be prompted for an update, but you can also download it from the official site.
  • Thunderbird is an open-source e-mail client developed by Mozilla. Read more about it in our Thunderbird section
  • Are you looking for the right e-mail client? Check our E-mail Hub for the most useful guides for e-mail clients.
The new Thunderbird 68.9.0 fixes 5 high impact security issues

The Thunderbird development team has released the stable version of Thunderbird 68.9.0 to the general public.

Thunderbird has the same release schedule of Firefox ESR (Extended Support Release). Mozilla increased the frequency of the Firefox releases so that’s why we see more Thunderbird releases than usual.

If you already have Thunderbird installed, you should be prompted for an update.

But if you didn’t receive the update yet, you can select click on Help, then go to About Thunderbird and run a manual check for updates.

Of course, there is also the option to download the new release from the official project website and install it manually.

What is new in Thunderbird 68.9.0?

Actually, there no new feature coming with the new Thunderbird 68.9.0. However, the release notes point to three bug fixes and some security fixes.

For starters, a bug fix corrected an issue that prevented users from removing custom headers used for searching for filtering emails.

Another solved problem is that now, the Today Pane from the Calendar is updated after all data is loaded.

The third release note points to fixing unspecified stability issues.

Thunderbird 68.9.0 security issues fixed

The most important part of the update was actually the Various security issues.

In the detail page, the Mozilla Foundation Security Advisory 2020-22 lists 5 high impact security issues fixed in the new Thunderbird 68.9.0 version:

  • NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys.
  • When browsing a malicious page, a race condition in our SharedWorkerService could occur and lead to a potentially exploitable crash.
  • Mozilla developer Iain Ireland discovered a missing type check during unboxed objects removal, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code.
  • Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
  • If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection.

Do you use Thunderbird as an e-mail client? Leave your thoughts about it in the comments sections below.