14 DAY TRIAL // Mozilla released updates to its popular Thunderbird email client in order to address multiple security and stability issues. The new Thunderbird 3.1.1 and 3.0.6 contain fixes for critical bugs that can be exploited to execute arbitrary code on targeted systems.
There are a total of ten security advisories associated with these Thunderbird updates, but some of them are related to issues only affecting the 3.1.x branch. Firefox is also impacted by all of the vulnerabilities described in these advisories and similar updates have been released for the browser.
Five advisories are marked as critical. This severity rating is assigned to vulnerabilities which can be exploited from a remote location to execute arbitrary, without any assistance from the victim. One of these advisory refers to multiple memory safety issues discovered by Mozilla developers, which could lead to memory corruption conditions.
Two additional advisories concern two integer overflow bugs in an array class used to store CSS values and the implementation of the XUL <tree> element. These were discovered by researchers who reported them through the Zero Day Initiative (ZDI) program.
A Mozilla security researcher, going by the moniker of moz_bug_r_a4 has also reported a bug which allows attackers to execute arbitrary JavaScript with elevated privileges. This vulnerability only affects Mozilla 3.1 and was therefore not addressed in the 3.0.6 update.
A critical buffer overflow vulnerability affecting both 3.1 and 3.0 Thunderbird branches, as well as Firefox, was discovered in Mozilla's privately-maintained version of libpng. The bug also affected the official build of the PNG reference library, but was fixed at the end of last month.
Two flaws that allow bypassing Same-Origin policies for JavaScript and canvas elements have been addressed in the new releases. These bugs were marked with high severity. Three other vulnerabilities marked as moderate, which facilitated data theft or resulted in information leakage, also received fixes.
Users are strongly encouraged to upgrade to the new versions. It is also worth noting that the 3.0.x branch will only continue to receive security and stability updates for a limited period of time.
The latest version of Mozila Thunderbird for Windows can be downloaded from here.
The latest version of Mozila Thunderbird for Mac can be downloaded from here.
The latest version of Mozila Thunderbird for Linux can be downloaded from here.
You can follow the editor on Twitter @lconstantin