Ubuntu 12.04 LTS / 13.10 / 14.04 LTS : thunderbird vulnerabilities (USN-2250-1)

Ubuntu Security Notice (C) 2014-2016 Canonical, Inc. / NASL script (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan
de Mooij, Ryan VanderMeulen, Jeff Walden and Kyle Huey discovered
multiple memory safety issues in Thunderbird. If a user were tricked
in to opening a specially crafted message with scripting enabled, an
attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges
of the user invoking Thunderbird. (CVE-2014-1533)

Abhishek Arya discovered multiple use-after-free and out-of-bounds
read issues in Thunderbird. If a user had enabled scripting, an
attacker could potentially exploit these to cause a denial of service
via application crash or execute arbitrary code with the priviliges of
the user invoking Thunderbird. (CVE-2014-1538)

A use-after-free was discovered in the SMIL animation controller. If a
user had enabled scripting, an attacker could potentially exploit this
to cause a denial of service via application crash or execute
arbitrary code with the priviliges of the user invoking Thunderbird.
(CVE-2014-1541).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected thunderbird package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 76158 ()

Bugtraq ID: 67965
67976
67979

CVE ID: CVE-2014-1533
CVE-2014-1538
CVE-2014-1541