Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

USN-915-1: Thunderbird vulnerabilities

18 March 2010

Thunderbird vulnerabilities

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

Details

Several flaws were discovered in the JavaScript engine of Thunderbird. If a
user had JavaScript enabled and were tricked into viewing malicious web
content, a remote attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-0689, CVE-2009-2463, CVE-2009-3075)

Josh Soref discovered that the BinHex decoder used in Thunderbird contained
a flaw. If a user were tricked into viewing malicious content, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-3072)

It was discovered that Thunderbird did not properly manage memory when
using XUL tree elements. If a user were tricked into viewing malicious
content, a remote attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-3077)

Jesse Ruderman and Sid Stamm discovered that Thunderbird did not properly
display filenames containing right-to-left (RTL) override characters. If a
user were tricked into opening a malicious file with a crafted filename, an
attacker could exploit this to trick the user into opening a different file
than the user expected. (CVE-2009-3376)

Takehiro Takahashi discovered flaws in the NTLM implementation in
Thunderbird. If an NTLM authenticated user opened content containing links
to a malicious website, a remote attacker could send requests to other
applications, authenticated as the user. (CVE-2009-3983)

Ludovic Hirlimann discovered a flaw in the way Thunderbird indexed certain
messages with attachments. A remote attacker could send specially crafted
content and cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2010-0163)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10
Ubuntu 9.04
Ubuntu 8.10
Ubuntu 8.04

After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.

Related notices

  • USN-871-1: kdelibs, kdelibs4c2a
  • USN-798-1: firefox-3.0, xulrunner-1.9, abrowser
  • USN-821-1: firefox-3.0, xulrunner-1.9, abrowser
  • USN-853-1: xulrunner-1.9, xulrunner-1.9.1, firefox-3.5, abrowser, firefox-3.0
  • USN-873-1: firefox-3.0, xulrunner-1.9, abrowser
  • USN-874-1: firefox-3.5, xulrunner-1.9.1