The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 on Windows Vista, Windows Server 2008 R2, and Windows 7 allows remote SMTP, IMAP, and POP servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via crafted data in a session that uses SSPI.

This update brings Mozilla SeaMonkey to 1.1.19 fixing various bugs and security issues.

Following security issues are fixed: MFSA 2010-07: Mozilla developers took fixes from previously fixed memory safety bugs in newer Mozilla-based products and ported them to the Mozilla 1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey 1.1.

Paul Fisher reported a crash when joined to an Active Directory server under Vista or Windows 7 and using SSPI authentication.
(CVE-2010-0161) Ludovic Hirlimann reported a crash indexing some messages with attachments (CVE-2010-0163) Carsten Book reported a crash in the JavaScript engine (CVE-2009-3075) Josh Soref reported a crash in the BinHex decoder used on non-Mac platforms. (CVE-2009-3072) monarch2000 reported an integer overflow in a base64 decoding function (CVE-2009-2463)

MFSA 2009-68 / CVE-2009-3983: Security researcher Takehiro Takahashi of the IBM X-Force reported that Mozilla's NTLM implementation was vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitary application via the browser. If an attacker could get a user to visit a web page he controlled he could force NTLM authenticated requests to be forwarded to another application on behalf of the user.

MFSA 2009-62 / CVE-2009-3376: Mozilla security researchers Jesse Ruderman and Sid Stamm reported that when downloading a file containing a right-to-left override character (RTL) in the filename, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body. An attacker could use this vulnerability to obfuscate the name and file extension of a file to be downloaded and opened, potentially causing a user to run an executable file when they expected to open a non-executable file.

MFSA 2009-59 / CVE-2009-0689: Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer.

Update: The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz.

MFSA 2010-06 / CVE-2009-3385: Security researcher Georgi Guninski reported that scriptable plugin content, such as Flash objects, could be loaded and executed in SeaMonkey mail messages by embedding the content in an iframe inside the message. If a user were to reply to or forward such a message, malicious JavaScript embedded in the plugin content could potentially steal the contents of the message or files from the local filesystem.

MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer.

Please see http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html

This update brings Mozilla SeaMonkey to 1.1.19 fixing various bugs and security issues.

The following security issues are fixed :

  - Mozilla developers took fixes from previously fixed     memory safety bugs in newer Mozilla-based products and     ported them to the Mozilla 1.8.1 branch so they can be     utilized by Thunderbird 2 and SeaMonkey 1.1. (MFSA     2010-07)

  - Paul Fisher reported a crash when joined to an Active     Directory server under Vista or Windows 7 and using SSPI     authentication. (CVE-2010-0161)

  - Ludovic Hirlimann reported a crash indexing some     messages with attachments. (CVE-2010-0163)

  - Carsten Book reported a crash in the JavaScript engine.
    (CVE-2009-3075)

  - Josh Soref reported a crash in the BinHex decoder used     on non-Mac platforms. (CVE-2009-3072)

  - monarch2000 reported an integer overflow in a base64     decoding function. (CVE-2009-2463)

  - Security researcher Takehiro Takahashi of the IBM     X-Force reported that Mozilla's NTLM implementation was     vulnerable to reflection attacks in which NTLM     credentials from one application could be forwarded to     another arbitary application via the browser. If an     attacker could get a user to visit a web page he     controlled he could force NTLM authenticated requests to     be forwarded to another application on behalf of the     user. (MFSA 2009-68 / CVE-2009-3983)

  - Mozilla security researchers Jesse Ruderman and Sid     Stamm reported that when downloading a file containing a     right-to-left override character (RTL) in the filename,     the name displayed in the dialog title bar conflicts     with the name of the file shown in the dialog body. An     attacker could use this vulnerability to obfuscate the     name and file extension of a file to be downloaded and     opened, potentially causing a user to run an executable     file when they expected to open a non-executable file.
    (MFSA 2009-62 / CVE-2009-3376)

  - Security researcher Alin Rad Pop of Secunia Research     reported a heap-based buffer overflow in Mozilla's     string to floating point number conversion routines.
    Using this vulnerability an attacker could craft some     malicious JavaScript code containing a very long string     to be converted to a floating point number which would     result in improper memory allocation and the execution     of an arbitrary memory location. This vulnerability     could thus be leveraged by the attacker to run arbitrary     code on a victim's computer. (MFSA 2009-59 /     CVE-2009-0689)

Update: The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz.

  - Security researcher Georgi Guninski reported that     scriptable plugin content, such as Flash objects, could     be loaded and executed in SeaMonkey mail messages by     embedding the content in an iframe inside the message.
    If a user were to reply to or forward such a message,     malicious JavaScript embedded in the plugin content     could potentially steal the contents of the message or     files from the local filesystem. (MFSA 2010-06 /     CVE-2009-3385)

  - An anonymous security researcher, via TippingPoint's     Zero Day Initiative, reported that the columns of a XUL     tree element could be manipulated in a particular way     which would leave a pointer owned by the column pointing     to freed memory. An attacker could potentially use this     vulnerability to crash a victim's browser and run     arbitrary code on the victim's computer. (MFSA 2009-49 /     CVE-2009-3077)

Please see http://www.mozilla.org/security/known-vulnerabilities/seamonkey11.html

Multiple vulnerabilities has been found and corrected in mozilla-thunderbird :

Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2009-0689).

Integer overflow in a base64 decoding function in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2009-2463).

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3072).

Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3075).

Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a dangling pointer vulnerability. (CVE-2009-3077)

Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file (CVE-2009-3376).

Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user (CVE-2009-3983).

Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2010-0163).

This update provides the latest version of Thunderbird which are not vulnerable to these issues.

Packages for 2008.0 and 2009.0 are provided due to the Extended Maintenance Program for those products.

Additionally, some packages which require so, have been rebuilt and are being provided as updates.

Mozilla Thunderbird was updated to 2.0.0.14 fixing several security issues and bugs.

MFSA 2010-07: Mozilla developers took fixes from previously fixed memory safety bugs in newer Mozilla-based products and ported them to the Mozilla 1.8.1 branch so they can be utilized by Thunderbird 2 and SeaMonkey 1.1.

Paul Fisher reported a crash when joined to an Active Directory server under Vista or Windows 7 and using SSPI authentication.
(CVE-2010-0161) Ludovic Hirlimann reported a crash indexing some messages with attachments (CVE-2010-0163) Carsten Book reported a crash in the JavaScript engine (CVE-2009-3075) Josh Soref reported a crash in the BinHex decoder used on non-Mac platforms. (CVE-2009-3072) monarch2000 reported an integer overflow in a base64 decoding function (CVE-2009-2463)

MFSA 2009-68 / CVE-2009-3983: Security researcher Takehiro Takahashi of the IBM X-Force reported that Mozilla's NTLM implementation was vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitary application via the browser. If an attacker could get a user to visit a web page he controlled he could force NTLM authenticated requests to be forwarded to another application on behalf of the user.

MFSA 2009-62 / CVE-2009-3376: Mozilla security researchers Jesse Ruderman and Sid Stamm reported that when downloading a file containing a right-to-left override character (RTL) in the filename, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body. An attacker could use this vulnerability to obfuscate the name and file extension of a file to be downloaded and opened, potentially causing a user to run an executable file when they expected to open a non-executable file.

MFSA 2009-59 / CVE-2009-0689: Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer.

Update: The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz.

MFSA 2009-49 / CVE-2009-3077: An anonymous security researcher, via TippingPoint's Zero Day Initiative, reported that the columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. An attacker could potentially use this vulnerability to crash a victim's browser and run arbitrary code on the victim's computer.

Please see http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.ht ml

Mozilla Project reports :

MFSA 2010-07 Fixes for potentially exploitable crashes ported to the legacy branch

MFSA 2010-06 Scriptable plugin execution in SeaMonkey mail

MFSA 2009-68 NTLM reflection vulnerability

MFSA 2009-62 Download filename spoofing with RTL override

MFSA 2009-59 Heap buffer overflow in string to number conversion

MFSA 2009-49 TreeColumns dangling pointer vulnerability

The remote host is running a version of Mozilla SeaMonkey earlier than 1.1.19.  Such versions are potentially affected by multiple vulnerabilities : 

  - The columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. (MFSA 2009-49)

  - A heap-based overflow exists in Mozilla's string to floating point number conversion routines. (MFSA 2009-59)

  - It is possible to obfuscate the name of files to be downloaded by using a right-to-left override character (RTL). (MFSA 2009-62)

  - Mozilla's NTLM implementation is vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitrary application. (MFSA 2009-68)

  - Scriptable plugin content, such as Flash objects, can be loaded and executed by embedding the content in an iframe inside the message. (MFSA 2010-06)

  - Multiple memory corruption vulnerabilities which could potentially lead to the execution of arbitrary code. (MFSA 2010-07)

The isntalled version of Mozilla Thunderbird is earlier than 2.0.0.24.  Such version are potentially affected by multiple vulnerabilities : 

  - The columns of a XUL tree element can be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. (MFSA 2009-49)

  - A heap-based buffer overflow exists in Mozilla's string to floating point number conversion routines. (MFSA 2009-59)

  - It is possible to obfuscate the name of files to be downloaded by using a right-to-left override character (RTL). (MFSA 2009-62)

Versions of Mozilla Thunderbird prior to 2.0.0.24 are affected by the following vulnerabilities : 

 - The columns of a XUL tree element can be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. (MFSA 2009-49)
 - A heap-based buffer overflow exists in Mozilla's string to floating point number conversion routines. (MFSA 2009-59)
 - It is possible to obfuscate the name of files to be downloaded by using a right-to-left override character (RTL). (MFSA 2009-62)

The remote host is running a version of SeaMonkey earlier than 1.1.19.  Such versions are potentially affected by multiple vulnerabilities : 

  - The columns of a XUL tree element could be manipulated in a particular way which would leave a pointer owned by the column pointing to freed memory. (MFSA 2009-49)

  - A heap-based overflow exists in Mozilla's string to floating point number conversion routines. (MFSA 2009-59)

  - It is possible to obfuscate the name of files to be downloaded by using a right-to-left override character (RTL). (MFSA 2009-62)

  - Mozilla's NTLM implementation is vulnerable to reflection attacks in which NTLM credentials from one application could be forwarded to another arbitrary application. (MFSA 2009-68)

  - Scriptable plugin content, such as Flash objects, can be loaded and executed by embedding the content in an iframe inside the message. (MFSA 2010-06)

  - Multiple memory corruption vulnerabilities which could potentially lead to the execution of arbitrary code. (MFSA 2010-07)

The installed version of SeaMonkey is earlier than 1.1.19.  Such versions are potentially affected by the following security issues :
  - The columns of a XUL tree element can be manipulated in     a particular way that would leave a pointer owned by     the column pointing to freed memory. (MFSA 2009-49)

  - A heap-based buffer overflow exists in Mozilla's string     to floating point number conversion routines.     (MFSA 2009-59)

  - It is possible to obfuscate the name of files to be     downloaded by using a right-to-left override character     (RTL). (MFSA 2009-62)

  - Mozilla's NTLM implementation is vulnerable to     reflection attacks in which NTLM credentials from one     application could be forwarded to another arbitrary     application. (MFSA 2009-68)

  - Scriptable plugin content, such as Flash objects, can be     loaded and executed by embedding the content in an     iframe inside the message. (MFSA 2010-06)

  - Multiple memory corruption vulnerabilities exist that     may result in the execution of arbitrary code.     (MFSA 2010-07)

The installed version of Thunderbird is earlier than 2.0.0.24.  Such versions are potentially affected by multiple vulnerabilities :

  - The columns of a XUL tree element can be manipulated in     a particular way that would leave a pointer owned by     the column pointing to freed memory. (MFSA 2009-49)

  - A heap-based buffer overflow exists in Mozilla's string     to floating point number conversion routines.     (MFSA 2009-59)

  - It is possible to obfuscate the name of files to be     downloaded by using a right-to-left override character     (RTL). (MFSA 2009-62)

  - Multiple memory corruption vulnerabilities exist that     may result in the execution of arbitrary code.     (MFSA 2010-07)

ID	Name	Product	Family	Severity
46687	openSUSE Security Update : seamonkey (openSUSE-SU-2010:0273-1)	Nessus	SuSE Local Security Checks	critical
46686	openSUSE Security Update : seamonkey (openSUSE-SU-2010:0273-1)	Nessus	SuSE Local Security Checks	critical
46685	SuSE9 Security Update : epiphany (YOU Patch Number 12616)	Nessus	SuSE Local Security Checks	critical
45521	Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2010:071)	Nessus	Mandriva Local Security Checks	critical
45376	openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-2189)	Nessus	SuSE Local Security Checks	critical
45375	openSUSE Security Update : MozillaThunderbird (MozillaThunderbird-2189)	Nessus	SuSE Local Security Checks	critical
45114	FreeBSD : mozilla -- multiple vulnerabilities (56cfe192-329f-11df-abb2-000f20797ede)	Nessus	FreeBSD Local Security Checks	critical
801348	Mozilla SeaMonkey < 1.1.19 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high
801216	Mozilla Thunderbird < 2.0.0.24 Multiple Vulnerabilities	Log Correlation Engine	SMTP Clients	high
5480	Mozilla Thunderbird < 2.0.0.24 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	medium
5479	SeaMonkey < 1.1.19 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
45111	SeaMonkey < 1.1.19 Multiple Vulnerabilities	Nessus	Windows	high
45110	Mozilla Thunderbird < 2.0.0.24 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2010-0161

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

high

high

medium

medium

high

high