O Thunderbird lançou uma nova versão para resolver uma dezena de vulnerabilidades de segurança, incluindo o problema de criptografia EFAIL que foi descoberto em maio.
A nova versão corrige dois problemas do EFAIL na maneira como o Thunderbird lida com mensagens cifradas.
“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” reads the blog post published by the researchers that discovered the EFAIL flaw.
“To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”
A nova versão do Thunderbird 52.9 aborda a falha CVE-2018-12372 que pode ser explorada por atacantes de forma a construir S/MIME e PGP decrypt stubs em mensagens HTML.
“Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a HTML reply/forward.” reads the security advisory published by the Mozilla Foundation.
A nova versão também corrige a falha CVE-2018-12373 que poderia resultar no vazamento de texto simples S / MIME quando uma mensagem é encaminhada para outro endereço de email. Nesta correção foi também abordada a vulnerabilidade CVE-2018-12359 respeitante a um buffer overflow e que pode ser explorada como forma de bloquear um sistema vulnerável.
“A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries.”
“A use-after-free vulnerability can occur when deleting an
inputelement during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.” continues the advisory.
Outro grave problema está relacioado com os ficheiros executaveis SettingContent-ms. O investigador Matt Nelson, descobriu que os utilizadores do Windows 10 não estavam a ser alertados quando abriam este tipo de ficheiros. Esta falha foi identificada como CVE-2018-12368 e pode ser usada por invasores de forma a executarem código arbitrário e enganar os utilizadores a abrirem os ficheiros maliciosos.
“Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the “Mark of the Web.” continues the advisory.
“Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems”.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.