The issue was discovered by Gajra Raja John of Cisco Talos. Firefox ESR users should update to the latest version, which is currently Firefox ESR 60. Thunderbird users should update to the latest version, which is currently Thunderbird 52. Users of Firefox  107 should update to the latest version, which is currently Firefox  108. On Windows, users who open a maliciously crafted email may be prompted to open documents or install a program without notification.
On Linux, the malicious email may be opened as a link or opened directly in a web browser without notification. These are examples of how an attacker could use this vulnerability to spoof a user into believing they received an email they did not. An attacker could also trick a user into installing a malicious program by sending them an email with a link.

What is the Thunderbird vulnerability?

Thunderbird is a web-based e-mail program. Thunderbird 52 is the latest version of the program, and it's currently available for download from the Mozilla website. Each time a new version of Thunderbird is released, Firefox ESR users are alerted about the updated version through their browser notification system.
This vulnerability was discovered in Firefox ESR 60 which means that users should update to this browser because it's more secure than the previous one. Additionally, users should update to Firefox  108 because it fixes this vulnerability.

CVE-2022-45408 Firefox ESR  60

, Thunderbird 52, Firefox 108
A vulnerability has been discovered in Firefox and Thunderbird which may cause an attacker to spoof a user into thinking they are receiving an email when they are not. An attacker could also trick a user into installing a malicious program by sending them an email with a link.

How Does this Vulnerability Work?

The issue is caused by a use-after-free vulnerability in the Skia library's text rendering code. If an application opens a maliciously crafted email, it could be exploited to trigger an out-of-bounds write and potentially lead to arbitrary code execution on the system.

What needs to be fixed?

The underlying cause of this vulnerability was a Mozilla security bug. Firefox ESR 60, Thunderbird 52, and Firefox  108 fixed the issue. In order to fix this vulnerability, users of Windows have to update their operating systems and users of Linux have to update their kernels.

What is the Firefox ESR software recovery system?

The Firefox ESR software is designed to be used in cases where a user may have inadvertently deleted or corrupted the browser's profile directory. If this occurs, the user can use the Firefox ESR software to recover the browser's settings and data.

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 01/04/2023 14:41:00 UTC

References