Thunderbird < 14.0 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.

Synopsis :

The remote Mac OS X host contains a mail client that is potentially
affected by several vulnerabilities.

Description :

The installed version of Thunderbird is earlier than 14.0 and thus,
is potentially affected by the following security issues :

- Several memory safety issues exist, some of which could
potentially allow arbitrary code execution.
(CVE-2012-1948, CVE-2012-1949)

- Several memory safety issues exist related to the Gecko
layout engine. (CVE-2012-1951, CVE-2012-1952,
CVE-2012-1953, CVE-2012-1954)

- An error related to JavaScript functions
'history.forward' and 'history.back' can allow
incorrect URLs to be displayed. (CVE-2012-1955)

- Cross-site scripting attacks are possible due to an
error related to the '<embed>' tag within an RSS
'<description>' element. (CVE-2012-1957)

- A use-after-free error exists related to the method
'nsGlobalWindow::PageHidden'. (CVE-2012-1958)

- An error exists that can allow 'same-compartment
security wrappers' (SCSW) to be bypassed.

- An out-of-bounds read error exists related to the color
management library (QCMS). (CVE-2012-1960)

- The 'X-Frames-Options' header is ignored if it is
duplicated. (CVE-2012-1961)

- A memory corruption error exists related to the method
'JSDependentString::undepend'. (CVE-2012-1962)

- An error related to the 'Content Security Policy' (CSP)
implementation can allow the disclosure of OAuth 2.0
access tokens and OpenID credentials. (CVE-2012-1963)

- An error exists related to the 'javascript:' URL that
can allow scripts to run at elevated privileges outside
the sandbox. (CVE-2012-1967)

See also :

Solution :

Upgrade to Thunderbird 14.0 or later.

Risk factor :

High / CVSS Base Score : 9.3
CVSS Temporal Score : 8.1
Public Exploit Available : false