10 December 2010
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0249 Mozilla has released versions 3.1.7 and 3.0.11 of Thunderbird 10 December 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2010-3768 CVE-2010-3769 CVE-2010-3776 CVE-2010-3777 CVE-2010-3778 Member content until: Sunday, January 9 2011 Reference: ASB-2010.0248 OVERVIEW Mozilla has versions 3.1.7 and 3.0.11the Thunderbird email client, correcting multiple security vulnerabilities. IMPACT The vendor has supplied the following information regarding these vulnerabilities: "Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code."  "Dirk Heinrich reported that on Windows platforms when document.write() was called with a very long string a buffer overflow was caused in line breaking routines attempting to process the string for display. Such cases triggered an invalid read past the end of an array causing a crash which an attacker could potentially use to run arbitrary code on a victim's computer."  "Mozilla added the OTS font sanitizing library to prevent downloadable fonts from exposing vulnerabilities in the underlying OS font code. This library mitigates against several issues independently reported by Red Hat Security Response Team member Marc Schoenefeld and Mozilla security researcher Christoph Diehl."  MITIGATION It is recommended that users of Thunderbird upgrade to the latest version. REFERENCES  Mozilla Foundation Security Advisory 2010-74 http://www.mozilla.org/security/announce/2010/mfsa2010-74.html  Mozilla Foundation Security Advisory 2010-75 http://www.mozilla.org/security/announce/2010/mfsa2010-75.html  Mozilla Foundation Security Advisory 2010-78 http://www.mozilla.org/security/announce/2010/mfsa2010-78.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFNAX5J/iFOrG6YcBERAmUSAJ0eJrDFU/BwSS+4dABO63lqbiWrbgCg1FeR quq7kv1/BQ7zAOqL2nxOHPM= =qKn4 -----END PGP SIGNATURE-----