In association with heise online

11 December 2009, 12:08

Security hole in Thunderbird 2.x

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Already closed in Opera, Firefox and Chrome, the format string vulnerability caused by a flawed implementation of the dtoa C function for converting floating point numbers into strings (double to ascii) is creating further ripples. Maksymilian Arciemowicz, who discovered the problem, has released several advisories stating that the Thunderbird 2.x email client, as well as the Sunbird 0.9 calendar application and the Flock and Camino browsers, are or were also affected. In the current versions of Flock (2.5.5) and Camino (2.0.1), the flaw has been fixed.

The vulnerability allows attackers to overwrite arrays, and inject and execute arbitrary code, by including certain formatting characters. The hole has been publicly known since last June and was rated extremely critical at least for the browsers.

While the flaw has reportedly been fixed in the forthcoming version of Thunderbird, the only version currently available to download is The current version of Thunderbird 2.x ( was released last August. Why the Mozilla Foundation is taking so long to release a new version of Thunderbird 2.x is an open question. It could be that the development of Thunderbird 3 has drawn off all available resources. As the new version of the email client does not contain the flaw, users are advised to switch if they can.

Arciemowicz said that several add-ons for Thunderbird 2.x, including Lightning 0.9 and Thunderbrowse, are also affected.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit