IT NEWS

Twitter says it has fixed a bug that meant users weren’t logged out of active sessions on all devices after manually resetting their passwords. 

Writing on its blog, Twitter said:

“We want to let you know that we recently fixed a bug that allowed Twitter accounts to stay logged in from multiple devices after a voluntary password reset. In order to help ensure the safety and security of everyone that may have been affected, we’ve proactively logged people who may have been affected out of active sessions.”

Staying logged in on multiple devices after explicitly changing an account password is a huge security risk. If someone has breached an account already, that would leave them logged in and able to impersonate the user, rummage through DMs, change the password again, and more. 

Twitter says it has logged out all affected users, everywhere.

We fixed a bug that didn’t close all active logged in sessions on Android and iOS after an account’s password was reset. To keep your account safe, we logged some of you out. You can log back in to keep using Twitter.

For more details on what happened: https://t.co/OmjLKOe5bs

— Twitter Support (@TwitterSupport) September 21, 2022

Twitter says it has reached out to users who might have been affected by the bug. For everyone else, it’s business as usual.

Some new security additions and changes have been announced for users of Windows, but you’ll have to be using Windows 11 to get the most out of them. Windows 10 users may find that this is going to be a case of falling behind the herd ever so slightly.

Anti-phishing tools

Enhanced phishing protection, by way of Smartscreen, is the name of the game, and Microsoft is all too happy to explain the changes. Smartscreen is a Windows feature which helps ward off bogus sites phishing for personal data and payment information. People running IE8 and later will also find it attempts to protect against infectious files. It offers slightly different features depending on which flavour of Microsoft browser you’re using, but the overall end result is largely the same: A variety of protections against phishing portals.

In terms of features for Windows 11, enhanced phishing protection “automatically detects when users type their password into any app or site”. Windows knows “in real time” whether websites and apps have secure connections to trusted websites, notifying users of potential danger up ahead and also spreading word to other users when a phishing attack is blocked.

There is also mention of Windows analysing when and where password entry occurs, notifying users of potentially unsafe usage. This sounds a lot like how many password managers operate, popping a notification when (for example) password reuse is detected. One key difference here is that using passwords in an unsafe way is “reported to IT” for incident tracking purposes.

Friendly popups

There are some interesting additions to the user experience. Typing a password into a phishing site in a Chromium browser, or an application connecting to a phishing portal, presents the user with a popup which says:

This app made an unsafe connection that was reported to Microsoft for stealing passwords. Your organisation recommends changing your work or school password to keep your account safe.

Clicking the change password button takes users to sign-in options where they can alter the password as needed. Microsoft says that without this feature, credentials may be handed over to the fake site. On the other hand, popups that lead people from dangerous sites to password amendment options may encourage malicious imitations that trick unwary users. However, two sets of popups might increase the chances of something untoward being noticed, but the history of UX is littered with intolerant users blazing through that sort of thing.

Elsewhere, Windows will notify users who are typing passwords into notepad files and other programs that this is bad practice. As per the relevant popup:

It’s unsafe to store your password in this app. Your organisation considers it unsafe to store your password in this app and recommends removing your password from this file.

We’re not here today to discuss the merits and drawbacks of off-the-beaten-track password systems. However, it’s worth noting that this detection of typed passwords is raising some eyebrows:

The advice is good but it should come from a human, not the OS. How long has Windows been reading what I paste into Notepad? #privacy #security https://t.co/7iZNWDpzG7

— m (@tinymwriter) September 23, 2022

Windows 11, but not 10

Finally, we come to the part where our two operating system paths diverge.

Custom-made phishing alerts are available to Windows 11 users, but not to users of Windows 10. Organisations can configure Enhanced Phishing Protection to warn uses about password reuse, unsafe apps, and malicious activity, and can and switch the feature’s audit mode on and off, which determines whether sends telemetry about unsafe password events.

It’s to be expected that Windows 11 will eventually pull away from 10 in the security frontrunner stakes. Although adoption was low at the tail end of 2021, numbers will slowly ramp up over time as the Windows 10 end-of-life approaches, and organisations catch up with the stringent hardware requirements.

Only a few months back, we saw Microsoft tackling RDP intrusion with rate limiting for login attempts. We also now have upgrades to kernel protection, more support for hybrid work operations, and new default limits for SMB server authentication. It’s inevitable that we’ll continue to see this happening, and so the gulf will widen between the OS siblings.

No matter which version you’re running, ensure you keep your OS fully up-to-date and enable the security options most relevant to you. There’s enough choice available to hopefully configure your devices the exact way you need them to be running at any given time.

Stay safe out there!

Ransomware can send any company into crisis. 

Immediately following an attack, the notoriously disruptive malware can spread across networks and machines, locking up important files and rendering vital data almost useless for all employees. As we learned in a previous episode of Lock and Code, a ransomware attack not only threatens an organization’s clients and external customers, but all the internal teams who are just trying to do their jobs. When Northshore School District was hit several years ago by ransomware, teacher and staff pay were threatened, and children’s school lunches needed to be reworked because the payment system had been wiped out. 

These threats are not new. If anything, the potential damage and fallout of a ransomware attack is more publicly known than ever before, which might explain why a new form of ransomware response has emerged in the past year—the ransomware negotiator.

Increasingly, companies are seeking the help of ransomware negotiators to handle their response to a ransomware attack. The negotiator, or negotiators, can work closely with a company’s executives, security staff, legal department, and press handlers to accurately and firmly represent the company’s needs during a ransomware attack. Does the company refuse to pay the ransom because of policy? The ransomware negotiator can help communicate that. Is the company open to paying, but not the full amount demanded? The negotiator can help there, too. What if the company wants to delay the attackers, hoping to gain some much-needed time to rebuild systems? The negotiator will help there, too. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kurtis Minder, CEO of the cyber reconnaissance company GroupSense about the intricate work of ransomware negotiation. Minder himself has helped clients with ransomware negotiation and his company has worked to formalize ransomware negotiation training. In his experience, Minder has also learned that the current debate over whether companies should pay the ransom has too few options. For a lot of small and medium-sized businesses, the question isn’t an ideological one, but an existential one: Pay the ransom or go out of business.   

“What you don’t hear about is the thousands and thousands of small businesses in middle America, main street America—they get hit… they’re either going to pay a ransom or they’re going to go out of business.”

WhatsApp has fixed two remote code execution vulnerabilities in its September update, according to its security advisory. These could have allowed an attacker to remotely access a device and execute commands from afar.

These versions of WhatsApp are affected by at least one of the vulnerabilities:

• WhatsApp for Android prior to v2.22.16.12
• WhatsApp Business for Android prior to v2.22.16.12
• WhatsApp for iOS prior to v2.22.16.12
• WhatsApp Business for iOS prior to v2.22.16.12

WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS v2.22.15.9 are affected by both.

How to make sure you’re protected

There are no indications that these vulnerabilities have already been exploited. The vulnerabilities were found by the WhatsApp internal security team and silently fixed, so there is a good chance that your WhatsApp has already been updated. However, it never hurts to check.

Note: the methods described below may be slightly different based on the brand, type, and model of your phone, but should give you a good general idea of where to look.

If you have an iPhone, go to the App Store and tap Updates. When you find WhatsApp, tap the Update button next to the app. Your phone should then start installing the update.

If you own an Android phone, click on Play Store, then on the menu button. Under My apps and games, tap Update next to WhatsApp Messenger.

Stay safe, everyone!

Technical details

CVE-2022-36934: An integer overflow in WhatsApp could result in remote code execution (RCE) in an established video call. An integer overflow occurs when an integer value gets assigned a value that is too large to store in the reserved representation that can be represented with a given number of digits. Usually this will be higher than the maximum, but it can also be lower than the minimum representable value. By writing a larger value into the memory an attacker could overwrite other parts of the systems memory and abuse that ability to remotely execute code.

This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

CVE-2022-27492: An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. Integer underflow errors are usually errors that occur when a number that should always be positive gets assigned a negative value. A perfect example of an integer underflow error is when array index errors are used with a negative value. This type of weakness will lead to undefined behavior and often crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

This RCE bug affects an unspecified code block of the component Video File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.

A few months after the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, the builder for it has been leaked by what seems to be a disgruntled developer. LockBit has been by far the most widely used ransomware in 2022 and the appearance of the builder could make things worse. It is likely to be popular, so we could see new gangs appear that aren’t affiliated with the LockBit group but use its software, for example. We also expect to see fake packages offered online that infect the person running the builder, rather than building ransomware for them.

The builder turned up in two different places and was leaked using two different online identities. But where it came from and why isn’t really that interesting, certainly not for people looking to defend against it. For that, what it can do and what the implications are, are far more interesting.

Testing

Malwarebytes ransomware researchers managed to get their hands on a copy of the builder and found that, sadly, building your own ransomware has never been easier.

The whole builder actually only holds four files: An encryption key generator, keygen.exe, the actual builder.exe, a modifiable configuration file, config.json, and a batch file to build all of the files called build.bat.

The builder offers a high level of customization. In the included example of the configuration file the ransomware operator can choose their own C2 server, choose the processes they want to terminate, modify the ransom note, and so on.

Once the operator has set the configuration they can start a batch file that produces all of the files they need to start a new ransomware campaign.

A blessing in disguise is that thie Lockbit 3.0 Black fixes a decryption bug that was present in previous versions. The new version encrypts and decrypts flawlessly. You absolutely don’t want to infected with ransomware, but if you are, you want the process to be reliably reversible.

Mitigation

We recommend reading an expert view on simplifying the fight against ransomware, but to some it up in a few bullet points:

• Stop initial access by turning off or hardening RDP, having a plan for how and when you’ll do your security updates, and training users to spot malicious emails.
• Make privilege escalation and lateral movement as hard as possible by using the principle of least privilege, segmenting your network, and deploying EDR.
• Use an anti-malware solution that can identify ransomware and can roll back infections.
• Keep your data safe with offsite, offline backups that are out of the reach of attackers.
• Accept that even with the best defences, breaches can still happen. Prepare a distaster recovery plan.

G2 has released their Fall 2022 reports, ranking Malwarebytes as the leader across a number of endpoint protection categories. 

Based on factual customer reviews, Malwarebytes has been ranked #1 over top EDR vendors for endpoint malware and antivirus protection, detection and remediation of web-based threats, product usability, and more. These results continue Malwarebytes’ top ranking by G2, reinforcing Malwarebytes leadership in the endpoint security platform market. 

Summary Report

• Malwarebytes has ranked #1 for 4 reports OVERALL across all vendors and market segments

  • Grid

  • Results Index

  • Implementation Index

  • Usability Index

• Malwarebytes has ranked #1 for 5 Mid-Market reports

  • Results Index

  • Relationship Index

  • Grid report (main report)

  • Implementation Index

  • Usability Index

• Malwarebytes has ranked #1 for 1 Small Business reports

  • Grid report (main report)

Most rapid time to value (TTV)

Small- to medium-sized business (SMB) security teams need a solution that is quick to deploy, easy to set-up, and uncomplicated. Malwarebytes is that solution.

Ranked #1 in G2 Crowd’s Fall 2022 Implementation Index report, Malwarebytes’ endpoint protection suite provides the most rapid time to value (TTV) of all competitive solutions in the market today.

Best ROI

Looking for endpoint security that will provide maximum return on your investment? Malwarebytes is the answer. 

Ranked #1 in G2 Crowd’s Fall 2022 Results Index report, Malwarebytes provides the best estimated ROI of all endpoint protection suites based on our unique combination of rapid time to go live and time to ROI.

Malwarebytes ranked #1 for 4 reports OVERALL across all vendors and market segments

Grid® Report for Endpoint Protection Suites

• Largest Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 98% of users rated it 4 or 5 stars.

Europe Regional Grid® Report for Endpoint Protection Suites

• Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 98 percent of users rated it 4 or 5 stars.

Implementation Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Ease of setup,” “Implementation time,” and “User adoption.”

• Earned badge for highest implementation score.

Results Index

• Contributing factors: Ratings for “Likely to recommend,” “Meets requirements,” and “Estimated ROI.”

• Earned badge for highest overall Results score.

Usability Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Ease of admin,” “Ease of use,” “Meets requirements.”

• Earned badges for highest overall Usability score and highest ease of use rating. 

Malwarebytes ranked #1 for 5 Mid-Market reports

Badges are awarded to products that receive the highest overall ratings along certain categories. For example, the Highest Quality of Support badge goes to the product with the highest overall quality of support score.

Mid-Market Results Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Likely to recommend,” “Meets requirements,” and “Estimated ROI.”

• Earned badges for highest overall Results score and highest likehood to recommend score.

Mid-Market Relationship Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Ease of business,” “Likely to recommend,” and “Quality of support.”

• Earned badge for highest overall best relationship score.

Mid-Market Grid® Report for Endpoint Protection Suites

• Malwarebytes has the largest Market Presence and received the highest Satisfaction score among products in Endpoint Protection Suites. 99 percent of users rated it 4 or 5 stars.

Mid-Market Implementation Index for Endpoint Protection Suites

• Rated for “Ease of setup,” “Implementation time,” and “User adoption.”

Mid-Market Usability Index for Endpoint Protection Suites

• Contributing factors: Ratings for “Ease of admin,” “Ease of use,” “Meets requirements.”

• Earned badge for highest most implementable score.

Malwarebytes ranked #1 for 1 Small Business report

Small-Business Grid® Report for Endpoint Protection Suites

• Malwarebytes has the largest Market Presence and received the highest satisfaction score among products in Endpoint Protection Suites. 98 percent of users rated it 4 or 5 stars.

Easy, effective, and efficient cyber protection validated by real users

Malwarebytes is committed to delivering a stellar experience for our users.

Customer reviews are critical to ensuring that endpoint security solutions perform well where it counts, whether that’s ease-of-use, implementation, or overall satisfaction. To read more about what customers have to say about Malwarebytes Endpoint Protection and EDR, check out our case studies page.

More resources

Malwarebytes receives highest rankings in recent third-party tests

Why MRG-Effitas matters to SMBs

MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks

Why MITRE matters to SMBs

The US FDA (Food and Drug Administration) has warned users of Medtronic’s MiniMed 600 Series Insulin Pump System—specifically, models for MiniMed 630G and MiniMed 670G—that their medical devices have a cybersecurity issue with its communication protocol. If compromised, attackers could gain unauthorized access to the pump system itself, and alter it to deliver too much or too little insulin to the patient.

Because the MiniMed 600 series devices have components (the insulin pump, the blood glucose meter, the continuous glucose monitoring transmitter, and the CareLink USB device) that communicate wirelessly, nearby attackers could gain unauthorized access to them when the pump is paired with these components. Medtronic clearly stated that such an attack could not be done over the internet.

“Medtronic has no evidence to date that such an issue has occurred,” the company’s Urgent Medical Device Correction notification page states. “However, in the unlikely event that unauthorized access would be successful, the access could be used to deliver too much or too little insulin through delivery of an unintended insulin bolus or because insulin delivery is slowed or stopped. Too much insulin could result in hypoglycemia (low blood sugar) which can potentially lead to seizure, coma or death. Too little insulin could result in hyperglycemia (high blood sugar) which can potentially lead to diabetic ketoacidosis.”

The FDA continues to work with Medtronic to identify, communicate, and prevent the devices’ vulnerability effects. Medtronic advises taking action and the necessary precautions to avoid being at risk. First, the company advises users to turn off the “Remote Bolus” feature of the pump, which is on by default.

The company also reminded users to keep their insulin pump and its components within their control at all times, never confirm connection requests on the pump screen unless initiated by them or their care partner, and not share their insulin pump’s or device’s serial numbers with anyone but their healthcare provider, distributor, and Medtronic. A detailed list of precautions can be found on this page.

On September 20, 2022, the official Twitter account for 2K Support tweeted an important message from the Customer Support team.

The tweet said an unauthorized party illegally accessed the credentials of one of the vendors of the helpdesk platform. The attacker then used that access to send out communications that contained a malicious link.

The email

There is some confusion about the email, which is clear from reading the replies and tweets on 2K support. From what we managed to put together based on the tweets and what little information 2K provided, the first email looked similar to this one:

2K Support request

In some cases, these were followed by a second email that looked similar to this one.

Email with a direct link to the malware

The malware turns out to be RedLine infostealer. RedLine specializes in stealing banking information from a system’s clipboard. It also attempts to steal other data from the affected system, like browser history, cookies, and saved browser passwords.

Info stealers like this are usually delivered to an affected system when users download them under false pretenses, often disguised as popular software or cracks.

Supply chain

Breaking into the supply chain like this can give an attacker access to a large amount of potential victims. Most of the customers in this case had open tickets, so they weren’t surprised to receive an email from the Support desk. And it’s not uncommon for Support desks to send out files for system analysis, which can help support to pinpoint the problems customers might have with the installation of their product or any other hardware or software conflicts.

Mitigation

Anyone that has downloaded the file must now do a full system scan to remove any malware.

If you have executed the file, this means that information from and about your system may have been sent to the attacker.

What can you do to limit the dangers of stolen information as much as possible?

• Change the passwords that might have been stolen for every website you can remember logging into. Depending on how your browser stores the passwords, you may have to do the same for every password that the browser remembers for you. All modern web browsers come with a built-in password manager that offers to store your login credentials, but the degrees of security encryption are very diffferent.
• If your email account has been compromised, change that password first as other credentials may be sent to you by mail and still end up in the wrong hands. Some online shops even send you a password in plain-text.
• Keep a close eye on your banking and eMoney accounts. Use the activity alerts that some banks offer.
• Keep tabs on your posts in social media. It may look silly to check what you have supposedly posted yourself, but imagine someone else doing it for you.

Extra precautions

• Enable 2FA wherever possible.
• Do not re-use passwords, and consider a password manager to generate and remember all your passwords for you.

Malwarebytes customers were protected against this attack because the Premium version blocked the C2 server that the 2K Launcher.exe contacts when it is executed.

Malwarebytes blocks the connection to the C2 server

On Tuesday, the Securities and Exchange Commission (SEC) charged financial company Morgan Stanley a $35M fine for “the firm’s extensive failures, over five years, to protect the personal identifying information, or PII, of approximately 15 million customers. The company agreed to settle the penalty.

As early as 2015, Morgan Stanley wasn’t properly disposing of devices containing sensitive customer data, according to a press release. In one instance, it hired a moving company with “no experience or expertise” in data destruction to eliminate thousands of devices containing hard drives and servers with thousands of unencrypted customer data. The company later auctioned these devices online with data still intact.

Gurbir Grewal, the SEC’s director of the Division of Enforcement, described Morgan Stanley’s failures as “astonishing”.

“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” Grewal said in a statement. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”

Morgan Stanley recovered some of the re-sold assets, but “a vast majority” of these devices were not.

On top of that, 42 servers, potentially containing unencrypted data by the thousands, from a local office and branch servers Morgan Stanley shut down went “missing”.

Regardless of the amount of data that was “misplaced” for seven years, the company said it’s not aware any of the lost sensitive data were exploited.

“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” a spokesperson from Morgan Stanley said in a statement to CNN.

Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system.

In Firefox 105 a total of seven vulnerabilities were patched, three of which received the security risk rating “high”. In Thunderbird three security vulnerabilities were patched. One with the rating “high” risk.

Security advisories were published for Firefox 105, Firefox ESR 102.3, and Thunderbird 91.13.1. Firefox 105 is the browser most Mozilla users will have on their system. Firefox Extended Support Release (ESR) is an official version of Firefox developed for large organizations that need to set up and maintain Firefox on a large scale. Thunderbird is Mozilla’s free email application.

How to update

To find out which version you are using on a Windows machine, open the application menu and click on Help > About. On a Mac, look at the top menu and click Firefox > About Firefox. This will show which version you currently have and whether an update is available. On Android use the My apps & games item in the PlayStore side-menu and find Firefox Browser in the list. Use the Update button next to it.

Downloading available update screen Firefox

The screens and the way to access them are largely the same for all Mozilla programs, including Thunderbird.

Once you’ve updated, you’re protected against these vulnerabilities.

Stay safe everyone!

The technical details

Firefox vulnerabilities

CVE-2022-40959: (High) Bypassing FeaturePolicy restrictions on transient pages. During iframe navigation, certain pages didn’t have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document.

CVE-2022-40960: (High) Data-race when parsing non-UTF-8 URLs in threads. Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. UTF-8 is an encoding system for Unicode characters. It can translate any Unicode character into a matching unique binary string. A non-UTF-8 character is a sequence of bytes that is not a valid UTF-8 character. Since UTF-8 as character encoding was introduced in 2005, there may be still some URLs which use a different encoding. Or they could be constructed to exploit this vulnerability.

CVE-2022-40962: (High )Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3. These bugs were found by Mozilla developers and the Mozilla Fuzzing Team. Some of these bugs showed evidence of memory corruption and it is likely that with enough effort some of these could have been exploited to run arbitrary code.

CVE-2022-40958: (Moderate) Bypassing Secure Context restriction for cookies with __Host and __Secure prefix. By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. In a session fixation attack, the attacker already has access to a valid session and tries to force the victim to use that particular session for his or her own purposes. In such a case the attack is initiated before the user logs in and the session fixation attack fixes an established session on the victim’s browser.

CVE-2022-40961: (Moderate) Stack-buffer overflow when initializing Graphics. During startup, a graphics driver with an unexpected name could lead to a stack-buffer overflow causing a potentially exploitable crash. This issue only affects Firefox for Android. Other operating systems are not affected.

CVE-2022-40956: (Low) Content-Security-Policy (CSP) base-uri bypass. When injecting an HTML base element, some requests would ignore the CSP’s base-uri settings and accept the injected element’s base instead. The HTTP CSP base-uri directive restricts the URLs which can be used in a document’s <base> element.

CVE-2022-40957: (Low) Incoherent instruction cache when building WASM on ARM64. Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications. This bug only affects Firefox on ARM64 platforms. ARM64 is the architecture used by newer Macs built on Apple Silicon, shipped in late 2020 and beyond.

Thunderbird

CVE-2022-3033: (High) Leaking of sensitive information when composing a response to an HTML email with a META refresh tag. If a Thunderbird user replied to a crafted HTML email containing a meta tag, with the meta tag having the http-equiv=”refresh” attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the message compose document. This bug doesn’t affect Thunderbird users who have changed the default Message Body display setting to ‘simple html’ or ‘plain text’.

CVE-2022-3032: (Moderate) When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed.

CVE-2022-3034: (Moderate) An iframe element in an HTML email could trigger a network request. When receiving an HTML email that specified to load an iframe element from a remote location, a request to the remote document was sent. However, Thunderbird didn’t display the document.