Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Mozilla Thunderbird 91.3 Released to Fix High Impact Flaws

Mozilla Thunderbird 91.3 Released to Fix High Impact Flaws

​Mozilla released  Thunderbird 91.3 to fix several high-impact vulnerabilities that can cause a denial of service, spoof the origin, bypass security policies, and allow arbitrary code execution.

Triggering most of the newly discovered bugs requires a user to open a specially crafted website in a browsing context, so the exploitation is relatively simple.

Also Read: 6 Types Of Document Shredder Machine Singapore Services

Multiple high-severity flaws

Mozilla Thunderbird 91.3 fixes ten flaws discovered by various researchers that cover a broad spectrum of the email client’s functionality.

  • CVE-2021-38503: iframe bypass restrictions that allow script execution
  • CVE-2021-38504: user-after-free in the file picker dialog, leading to memory corruption and a potentially exploitable crash
  • CVE-2021-38505: Windows 10 Cloud Clipboard sensitive data recording, copying sensitive user data to the user’s Microsoft account, increasing the risk of information disclosure.
  • CVE-2021-38506: Forcing Thunderbird to go into fullscreen mode without user interaction, laying the ground for UI spoofing and phishing attacks.
  • CVE-2021-38507: Bypass the ‘Same-Origin-Policy’ by exploiting the Opportunistic Encryption feature.
  • CVE-2021-38508: Ability to overlay the Permission Prompt to trick the user into granting any permission.
  • CVE-2021-38509: Spoof the JavaScript alert () dialog with arbitrary contents.
  • CVE-2021-38510: Bypass ‘Download Protections’ on .inetloc files, allowing code execution on macOS.
  • MOZ-2021-0008: Use-after-free in HTTP2 Session object, leading to memory corruption and possibly to an exploitable crash.
  • MOZ-2021-0007: Memory corruption flaws that may lead to arbitrary code execution.

One vulnerability tracked as CVE-2021-38505 is of particular interest as its related to the Windows 10 Cloud Clipboard. 

The Windows 10 Cloud Clipboard feature was introduced in 2018, and if enabled, will sync data you copy to the clipboard into the cloud, so it is available on other devices you have an account.

To prevent sensitive data from being synced to the cloud, Microsoft introduced specific clipboard formats that Windows would not copy to the cloud. However, Thunderbird and Mozilla did not use those formats, potentially allowing sensitive data to be synchronized.

“Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios,” explained Mozilla.

“Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Firefox before versions 94 and ESR 91.3 did not implement them. This could have caused sensitive data to be recorded to a user’s Microsoft account.”

Due to the severity of the above flaws, upgrading the popular email client to version 91.3 or later should be done as soon as possible.

To upgrade to the latest version immediately, open Thunderbird, click on the app menu, and select Help About Thunderbird. From there, you will be offered the option to download and install the latest available version.

Ubuntu has also released a security notice for Thunderbird for the flaws that concern the Linux distribution, and an updated package has been made available on the stable repository.

Also Read: 10 Principles On How To Build A Good Governance Model

Upgrade to 91.x lagging

The latest stats from Mozilla show that only 65% of Thunderbird users have upgraded to 91.x, with the rest still using older, unsupported, and now vulnerable versions.

A month ago, Mozilla forced an upgrade from 78.x to 91.x, to ensure that everyone is running the latest stable version of the email client.

However, due to add-on incompatibility issues between the two major releases, many users have opted to stay on 78.x, which from a security perspective, is getting increasingly risky.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us