Mozilla released a security update to address vulnerabilities in Thunderbird where an attacker could exploit the issues to take control of an affected system.
Mozilla Thunderbird 60.6.1 comes with the same security patches released with Firefox 66.0.1, which fixed issues in Firefox 66 which was released a few days earlier.
Mozilla resolved two different security flaws, both of which were reported by Trend Micro’s Zero Day Initiative, officials said in an advisory.
“In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts,” said the advisory.
The vulnerabilities fixed are all labeled critical.
There is one issue CVE-2019-981 where incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow, Mozilla said.
Also, CVE-2019-9813 is where incorrect handling of __proto__ mutations may lead to type confusion in IonMonkey JIT code and can be leveraged for arbitrary memory read and write, according to the advisory.