Date: 03 July 2008
References: AA-2008.0147 ESB-2009.0343
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2008.0148 AUSCERT Advisory
[Win][UNIX/Linux]
Thunderbird 2.0.0.14 is vulnerable to five of the recent
security vulnerabilities in AA-2008.0147
3 July 2008
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Thunderbird 2.0.0.14 and prior
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2008-2798 CVE-2008-2799 CVE-2008-2802
CVE-2008-2803 CVE-2008-2809 CVE-2008-2811
Member content until: Thursday, July 31 2008
Ref: AA-2008.0147
OVERVIEW
Thunderbird 2.0.0.14 is vulnerable to five of the recent security
vulnerabilities in AA-2008.0147. [1,2,3,4,5]
DETAILS
Thunderbird 2.0.0.14 (and prior) is vulnerable to the following:
- MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)
- MFSA 2008-24 Chrome script loading from fastload file
- MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
- MFSA 2008-31 Peer-trusted certs can use alt names to spoof
- MFSA 2008-33 Crash and remote code execution in block reflow
Four of these vulnerabilities have been rated Critical by the
Mozilla Foundation. [1,2,3,5]
MITIGATION
Users of Thunderbird 2.0.0.14 are recommended to disable JavaScript
until an update is available. This should mitigate against the four
critical vulnerabilities. [1,2,3,5]
For the vulnerability rated "Moderate" (MFSA 2008-31) be mindful
of self-signed certificates and the information they contain when
accepting them. [4]
REFERENCES
[1] Mozilla Foundation Security Advisory 2008-21
http://www.mozilla.org/security/announce/2008/mfsa2008-21.html
[2] Mozilla Foundation Security Advisory 2008-24
http://www.mozilla.org/security/announce/2008/mfsa2008-24.html
[3] Mozilla Foundation Security Advisory 2008-25
http://www.mozilla.org/security/announce/2008/mfsa2008-25.html
[4] Mozilla Foundation Security Advisory 2008-31
http://www.mozilla.org/security/announce/2008/mfsa2008-31.html
[5] Mozilla Foundation Security Advisory 2008-33
http://www.mozilla.org/security/announce/2008/mfsa2008-33.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSGxcgSh9+71yA2DNAQI1UwP/QItovVrat4WmZ6mAIOfEcGLpM5eQFE12
zFk9lI1DNO65HjUPtOo9egekirD761o9ZTtWDYIDa3bho5DEimNeRhA0NPI7S5aC
9EKEMkWuLwdl7Bx5sTNCyjJG73qq+Eh3ALiAv1VByWBurspw1oVh3zPYhA40pyO7
V/4EqcMm12A=
=oxB4
-----END PGP SIGNATURE-----
|