Five security vulnerabilities patched in Thunderbird
Users of Thunderbird are being urged to update to version 2.0.0.12 of the open source email client to close several security holes. In the new version, the Mozilla developers remedy five vulnerabilities, one of which is categorized as critical because attackers can inject malicious code by means of specially crafted e-mails – and all users need to do is open the e-mail. Existing users of Thunderbird should be offered the upgrade when they launch the program or look for updates.
The critical hole can be exploited by emails containing specially crafted attachments. If the attachment is MIME-encoded, Thunderbird may reserve insufficient memory, possibly causing a buffer overflow on the heap and allowing injected code to be executed. The flaw also affects the SeaMonkey suite.
The other flaws were also present in Firefox and SeaMonkey. The developers remedied them in Firefox version 2.0.0.12 and SeaMonkey 1.1.8. One of them is a vulnerability that allows the content of memory to be read if an email contains manipulated bitmap images. Thunderbird 2.0.0.12 also remedies the directory-traversal vulnerability that add-ons not packaged as .jar
archives could expose.
Thunderbird users are advised to install the update as soon as possible.
See also:
- Fixed in Thunderbird 2.0.0.12, overview of the patches in Thunderbird 2.0.0.12
- Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability, security advisory at iDefense
(mba)