Security hole in Thunderbird 2.x
Already closed in Opera, Firefox and Chrome, the format string vulnerability caused by a flawed implementation of the dtoa C function for converting floating point numbers into strings (double to ascii) is creating further ripples. Maksymilian Arciemowicz, who discovered the problem, has released several advisories stating that the Thunderbird 2.x email client, as well as the Sunbird 0.9 calendar application and the Flock and Camino browsers, are or were also affected. In the current versions of Flock (2.5.5) and Camino (2.0.1), the flaw has been fixed.
The vulnerability allows attackers to overwrite arrays, and inject and execute arbitrary code, by including certain formatting characters. The hole has been publicly known since last June and was rated extremely critical at least for the browsers.
While the flaw has reportedly been fixed in the forthcoming version 220.127.116.11 of Thunderbird, the only version currently available to download is 18.104.22.168pre. The current version of Thunderbird 2.x (22.214.171.124) was released last August. Why the Mozilla Foundation is taking so long to release a new version of Thunderbird 2.x is an open question. It could be that the development of Thunderbird 3 has drawn off all available resources. As the new version of the email client does not contain the flaw, users are advised to switch if they can.
Arciemowicz said that several add-ons for Thunderbird 2.x, including Lightning 0.9 and Thunderbrowse 126.96.36.199, are also affected.
- New Security Notes for: Thunderbird, Camino, Sunbird and Flock, security advisory from SecurityReason.
- Opera 10.10 closes "extremely severe" hole, a report from The H.
- Thunderbird 188.8.131.52 fixes SSL vulnerability, a report from The H.
- Google closes vulnerability in Chrome 3, a report from The H.