Thunderbird 18.104.22.168 fixes SSL vulnerability
The Mozilla developers have announced the release of version 22.214.171.124 of their popular Thunderbird email client, addressing a vulnerability in the processing of SSL certificates. Previously, inserting a null character in a certificate could trick some applications into treating, for example, the certificate displayed on www.paypal.com\0.thoughtcrime.org as if it belonged to www.paypal.com.
Moxie Marlinspike and Dan Kaminsky revealed details of the vulnerability in their Black Hat presentations. The vulnerability, which also existed in Firefox 3.5.x and 3.0.x, was fixed more than two weeks ago. Other software vendors are still working on updates for their products.
The security update is recommended for all users. More details about the release can be found in the release notes. Thunderbird 126.96.36.199 is available to download for Windows, Mac OS X and Linux. Thunderbird is released under the MPL/LGPL/GPL tri-license.
- Compromise of SSL-protected communication, security advisory from the Mozilla Foundation.
- Firefox 3.5.2 and 3.0.13 fix security vulnerabilities, a report from The H.
- SSL flaw revealed at Black Hat, a report from The H.