Thunderbird 52.8.0 is a new version of the popular cross-platform email client that fixes several security vulnerabilities in the email client.

Existing Thunderbird users can run a check for updates from within the client; to do that, tap on the Alt-key on the keyboard and select Help > About Thunderbird.

The update check should pick up the new version 52.8.0 so that it is downloaded to the local system and installed.

Thunderbird 52.8.0 is available as a standalone download from the official project website as well. You may use the installer to upgrade existing installations of the email client or install it anew on a supported system.

Thunderbird 52.8.0

The release notes highlight changes and issues. Thunderbird 52.8.0 is a security update for the email client that fixes several security issues. Several security issues received the highest impact rating of critical.

Thunderbird 52.8.0 protects emails against some exploits of EFAIL, a recently disclosed attack against OpenPGP and S/Mime. Attackers may use EFAIL attacks to retrieve the actual text of encrypted messages provided that they managed to get hold of the encrypted email and that the target runs a vulnerable client.

The team plans to publish Thunderbird 52.8.1 to fix the issue completely in Thunderbird. Check out the descriptions for the vulnerabilities CVE-2018-5184 and CVE-2018-5162 for additional details.

The following issues are fixed in the new Thunderbird version:

  • CVE-2018-5183: Backport critical security fixes in Skia
  • CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
  • CVE-2018-5154: Use-after-free with SVG animations and clip paths
  • CVE-2018-5155: Use-after-free with SVG animations and text paths
  • CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
  • CVE-2018-5161: Hang via malformed headers
  • CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
  • CVE-2018-5170: Filename spoofing for external attachments
  • CVE-2018-5168: Lightweight themes can be installed without user interaction
  • CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update
  • CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion through legacy extension
  • CVE-2018-5185: Leaking plaintext through HTML forms
  • CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and Thunderbird 52.8

Closing Words

Thunderbird 52.8.0 is a security update for the email client that addresses two critical security issues and several rated as high. Thunderbird users should consider upgrading the client to the new version as soon as possible.

Those who use OpenPGP or S/Mime should install the patch asap; it is still recommended to block remote content in Thunderbird to block attacks.