Mozilla fixes critical security flaws in Thunderbird
If Thunderbird is your email client, make sure you've updated it to the 52.5.2 version.
The patch includes five fixes, two of which rated high, one moderate and one of low severity.
The most serious flaw fixed is a critical overflow bug (CVE-2017-7845) which impacts Thunderbird users running windows: the bug appears when "drawing and validating elements with angle library using Direct 3D9".
Direct 3D 9 is not limited to Windows XP.
The flaws rated high impact all operating systems.
The first one called CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin is about the built-in RSS reader feature and its web view.
It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via “View -> Feed article -> Website” or in the standard format of “View -> Feed article -> default format”.
The second high-impact flaw can leak usernames with the RSS reader:
CVE-2017-7847: Local path string can be leaked from RSS feed
About the moderate flaw, it also regards the RSS reader: CVE-2017-7848: RSS Feed vulnerable to new line Injection
Finally the low severity flow makes possible to spoof the email address of the sender.
It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string.
Image credit : dakirby309