Mozilla Thunderbird < 24.2 Multiple Vulnerabilities

High

Synopsis

The remote host has a browser-like email client installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Thunderbird earlier than 24.2 are prone to the following vulnerabilities:

- Miscellaneous memory safety hazards (CVE-2013-5609, CVE-2013-5610)

- Use-after-free in event listeners, table editing user interface, synthetic mouse movement can lead to a potentially exploitable crash (CVE-2013-5616, CVE-2013-5613, CVE-2013-5618)

- Segmentation violation when replacing ordered list elements in a document via script can lead to a potentially exploitable crash (CVE-2013-6671)

- Extended validation root certificates remain trusted even if the user has explicitly removes the trust. (CVE-2013-6673)

- GetElementIC typed arrays can be generated outside observed typesets, with unknown security impact (CVE-2013-5615)

- Issues in the JPEG image processing library can allow arbitrary memory to be read, as well as cross-domain theft (CVE-2013-6629, CVE-2013-6630)

- An intermediary CA that is chained up to a root within Mozilla's root store was revoked for supplying an intermediate certificate that allowed a man-in-the-middle proxy to perform traffic management of domain names and IP addresses the certificate holder did not own or control.

Solution

Upgrade to Thunderbird 24.2, or later.