Thunderbird 52.6.0 with security fixes released

Thunderbird 52.6.0 is a security update for the popular desktop email client. The release is available via the email client's automatic update feature and also on the official project website.

Thunderbird users can run a manual check for updates with a click on Help > About Thunderbird. If the menu bar is missing, tap on the Alt-key to display it.

Thunderbird will pick up the new update and download and install it automatically.

Thunderbird 52.6.0

Thunderbird 52.6.0 is a security and maintenance release.

The team lists all fixed security vulnerabilities on this page. The bulk of issues cannot be exploited through emails because scripts are disabled by default when reading emails. They may be exploited however in browser or browser-like contexts.

• CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
• CVE-2018-5096: Use-after-free while editing form elements
• CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
• CVE-2018-5098: Use-after-free while manipulating form input elements
• CVE-2018-5099: Use-after-free with widget listener
• CVE-2018-5102: Use-after-free in HTML media elements
• CVE-2018-5103: Use-after-free during mouse event handling
• CVE-2018-5104: Use-after-free during font face manipulation
• CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
• CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6

Thunderbird 52.6.0 fixes three usability issues as well.

• Searching message bodies of messages in local folders, including filter and quick filter operations, not working reliably: Content not found in base64-encode message parts, non-ASCII text not found and false positives found.
• Defective messages (without at least one expected header) not shown in IMAP folders but shown on mobile devices
• Calendar: Unintended task deletion if numlock is enabled

The search issue fix is probably the biggest improvement in the release. Thunderbird's built-in search did not work reliably in some cases. If you noticed in the past that mails were not returned by the search even though they should, this may have been the reason for that.

Thunderbird did not display defective messages in IMAP folders under certain circumstances. This is fixed as well and should work as intended.

Last but not least, a bug caused tasks to be deleted in the built-in calendar if Numlock was activated.

Closing Words

Thunderbird 52.6.0 is a security update and as such should be installed asap. I did not notice any issues yet after the upgrade but that is just with a couple of minutes of using the new version. If anything comes up I'll update the article. (via gHacks)

Now You: Which email client or service do you use?