Users can download it for GNU/Linux, macOS, and Windows

Mar 8, 2017 23:44 GMT  ·  By

Along with the release of the Firefox 52.0 web browser, which is now the new ESR (Extended Support Release) branch, Mozilla also pushed a new security update for the Thunderbird email and news client.

Thunderbird 45.8.0 is now the latest release of the popular email client and news/RSS reader, which is included by default in numerous Linux distributions. As mentioned before, this is a security update that addresses multiple vulnerabilities discovered in previous versions. According to the release notes, five of them are marked as "Critical."

These include an asm.js JIT-spray bypass of DEP and ASLR (CVE-2017-5400), a memory corruption when handling ErrorResult (CVE-2017-5401), two use-after-free when working with events in FontFace objects (CVE-2017-5402) and with ranges in selections (CVE-2017-5404), and memory safety bugs (CVE-2017-5398).

Two other security vulnerabilities fixed in Thunderbird 45.8 are marked as "High." One of them could allow an attacker to steal history and pixel via floating-point timing side channel with SVG filters (CVE-2017-5407), and the other one is a memory corruption that occurred during JavaScript garbage collection incremental sweeping (CVE-2017-5410).

Users are advised to update as soon as possible

Marked as "Moderate," there's another security issue, namely CVE-2017-5408, which was patched in Thunderbird 45.8 to address cross-origin reading of video captions in violation of CORS. It also looks like FTP response codes could cause the use of uninitialized values for ports (CVE-2017-5405). This was fixed as well, but its impact is low.

Users are advised to update their Thunderbird installations as soon as possible. You can download Mozilla Thunderbird 45.8.0 for GNU/Linux, macOS, and Microsoft Windows operating systems right now from our website. Please restart any running sessions for the new version to take effect. You can also install this update from the stable repos of your Linux distros, or via the built-in update system on Mac and Windows.