Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : mozilla-thunderbird, thunderbird vulnerabilities (USN-741-1)

Ubuntu Security Notice (C) 2009-2014 Canonical, Inc. / NASL script (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Several flaws were discovered in the browser engine. If JavaScript
were enabled, an attacker could exploit these flaws to crash
Thunderbird and possibly execute arbitrary code with user privileges.
(CVE-2009-0352)

Jesse Ruderman and Gary Kwong discovered flaws in the browser engine.
If a user had JavaScript enabled, these problems could allow a remote
attacker to cause a denial of service or possibly execute arbitrary
code with the privileges of the user invoking the program.
(CVE-2009-0772, CVE-2009-0774)

Georgi Guninski discovered a flaw when Thunderbird performed a
cross-domain redirect. If a user had JavaScript enabled, an attacker
could bypass the same-origin policy in Thunderbird by utilizing
nsIRDFService and steal private data from users authenticated to the
redirected website. (CVE-2009-0776).

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 37220 ()

Bugtraq ID: 33990

CVE ID: CVE-2009-0352
CVE-2009-0772
CVE-2009-0774
CVE-2009-0776