Thunderbird ESR < 17.0.10 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a mail client that is potentially
affected by multiple vulnerabilities.

Description :

The installed version of Thunderbird ESR is prior to 17.0.10 and is,
therefore, potentially affected the following vulnerabilities :

- The implementation of Network Security Services (NSS)
does not ensure that data structures are initialized,
which could result in a denial of service or disclosure
of sensitive information. (2013-1739)

- Memory issues exist in the browser engine that could
result in a denial of service or arbitrary code
execution. (CVE-2013-5590, CVE-2013-5591, CVE-2013-5592)

- Memory issues exist in the JavaScript engine that could
result in a denial of service or arbitrary code
execution. (CVE-2013-5595, CVE-2013-5602)

- Multiple use-after-free vulnerabilities exist that could
result in a denial of service or arbitrary code
execution. (CVE-2013-5597, CVE-2013-5599, CVE-2013-5600,
CVE-2013-5601)

- A stack-based buffer overflow in
txXPathNodeUtils::getBaseURI is possible due to
uninitialized data during XSLT processing.
(CVE-2013-5604)

See also :

http://www.mozilla.org/security/announce/2013/mfsa2013-93.html
http://www.mozilla.org/security/announce/2013/mfsa2013-95.html
http://www.mozilla.org/security/announce/2013/mfsa2013-96.html
http://www.mozilla.org/security/announce/2013/mfsa2013-98.html
http://www.mozilla.org/security/announce/2013/mfsa2013-100.html
http://www.mozilla.org/security/announce/2013/mfsa2013-101.html

Solution :

Upgrade to Thunderbird ESR 17.0.10 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false