14 DAY TRIAL // The newly released 3.1.5 and 3.0.9 versions of Mozilla Thunderbird, address a total of eleven vulnerabilities affecting the popular open source email client, including eight that are rated critical.
Three memory corruption vulnerabilities (CVE-2010-3176, CVE-2010-3175, CVE-2010-3174) that could potentially be exploited to execute arbitrary code, were identified by the Mozilla developers.
Security researcher Alexander Miller discovered a buffer overflow vulnerability (CVE-2010-3179) when passing overly long strings to the document.write() JavaScript function.
Sergey Glazunov reported a use-after-free error (CVE-2010-3180) resulting from the locationbar property of a window object still being accessible after the window closes.
Another remote code execution vulnerability (CVE-2010-3183) stemming from an improper sanity check in the LookupGetterorSetter() function was reported by a researcher named regenrecht through TippingPoint's Zero Day Initiative (ZDI) program.
Two remote binary planting vulnerabilities (CVE-2010-3181 and CVE-2010-3182) affecting Windows and Linux, were found by Ehsan Akhgari and Dmitri Gribenko, respectively.
This type of vulnerability results from an unsafe use of library loading functions and can be exploited by attackers to trick applications into loading rogue DLLs.
A high-rated cross-site information leakage flaw (CVE-2010-3178), which violates the JavaScript same-origin policy, was identified by Eduardo Vela Nava.
A SSL bug (CVE-2010-3170) allows valid SSL connections to be established with multiple servers using a certificate that contains a wildcard followed by a partial IP in the common name field.
Mozilla considers this vulnerability discovered by security researcher Richard Moore, to have only a moderate impact because the issuing of such a certificate by a CA is extremely unlikely.
A low-impact vulnerability (CVE-2010-3173) was also identified by Mozilla cryptographer Nelson Bolyard in the SSL implementation and concerns the use of weak Diffie-Hellman Ephemeral mode (DHE) keys.
The flaws fixed in these Thunderbird releases are the same as those patched in Firefox 3.6.11 and 3.5.14, with the exception of a moderate cross-site scripting weakness (CVE-2010-3177).
The Mozilla development team announces that the next 3.0 release, namely 3.0.10, will be the final one in this branch. All 3.0.x users are encouraged to upgrade to Thunderbird 3.1 as soon as possible.
The latest version of Mozila Thunderbird for Windows can be downloaded here.
The latest version of Mozila Thunderbird for Mac can be downloaded here.
The latest version of Mozila Thunderbird for Linux can be downloaded here.