Thunderbird < 24.1 Multiple Vulnerabilities (Mac OS X)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host contains a mail client that is potentially
affected by multiple vulnerabilities.

Description :

The installed version of Thunderbird is earlier than 24.1 and is,
therefore, potentially affected by the following vulnerabilities :

- The implementation of Network Security Services (NSS)
does not ensure that data structures are initialized,
which could result in a denial of service or disclosure
of sensitive information. (2013-1739)

- Memory issues exist in the browser engine that could
result in a denial of service or arbitrary code
execution. (CVE-2013-5590, CVE-2013-5591, CVE-2013-5592)

- Arbitrary HTML content can be put into 'select'
elements. This can be used to spoof the displayed
address bar, leading to clickjacking and other spoofing
attacks. (CVE-2013-5593)

- Memory issues exist in the JavaScript engine that could
result in a denial of service or arbitrary code
execution. (CVE-2013-5595, CVE-2013-5602)

- A race condition exists during image collection on large
web pages that could result in a denial of service or
arbitrary code execution. (CVE-2013-5596)

- Multiple use-after-free vulnerabilities exist that could
result in a denial of service or arbitrary code
execution. (CVE-2013-5597, CVE-2013-5599, CVE-2013-5600,
CVE-2013-5601, CVE-2013-5603)

- A stack-based buffer overflow in
txXPathNodeUtils::getBaseURI is possible due to
uninitialized data during XSLT processing.
(CVE-2013-5604)

See also :

http://www.mozilla.org/security/announce/2013/mfsa2013-93.html
http://www.mozilla.org/security/announce/2013/mfsa2013-94.html
http://www.mozilla.org/security/announce/2013/mfsa2013-95.html
http://www.mozilla.org/security/announce/2013/mfsa2013-96.html
http://www.mozilla.org/security/announce/2013/mfsa2013-97.html
http://www.mozilla.org/security/announce/2013/mfsa2013-98.html
http://www.mozilla.org/security/announce/2013/mfsa2013-100.html
http://www.mozilla.org/security/announce/2013/mfsa2013-101.html
http://www.mozilla.org/security/announce/2013/mfsa2013-102.html

Solution :

Upgrade to Thunderbird 24.1 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false