In association with heise online

27 February 2008, 13:17

Five security vulnerabilities patched in Thunderbird

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Users of Thunderbird are being urged to update to version 2.0.0.12 of the open source email client to close several security holes. In the new version, the Mozilla developers remedy five vulnerabilities, one of which is categorized as critical because attackers can inject malicious code by means of specially crafted e-mails – and all users need to do is open the e-mail. Existing users of Thunderbird should be offered the upgrade when they launch the program or look for updates.

The critical hole can be exploited by emails containing specially crafted attachments. If the attachment is MIME-encoded, Thunderbird may reserve insufficient memory, possibly causing a buffer overflow on the heap and allowing injected code to be executed. The flaw also affects the SeaMonkey suite.

The other flaws were also present in Firefox and SeaMonkey. The developers remedied them in Firefox version 2.0.0.12 and SeaMonkey 1.1.8. One of them is a vulnerability that allows the content of memory to be read if an email contains manipulated bitmap images. Thunderbird 2.0.0.12 also remedies the directory-traversal vulnerability that add-ons not packaged as .jar archives could expose.

Thunderbird users are advised to install the update as soon as possible.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-734357
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit