Mozilla Thunderbird < 52.2 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a mail client that is affected by
multiple vulnerabilities.

Description :

The version of Mozilla Thunderbird installed on the remote Windows
host is prior to 52.2 It is, therefore, affected by multiple
vulnerabilities :

- Multiple memory corruption issues exist that allow an
unauthenticated, remote attacker to execute arbitrary
code by convincing a user to visit a specially crafted
website. (CVE-2017-5470)

- A use-after-free error exists in the EndUpdate()
function in nsCSSFrameConstructor.cpp that is triggered
when reconstructing trees during regeneration of CSS
layouts. An unauthenticated, remote attacker can exploit
this, by convincing a user to visit a specially crafted
website, to cause a denial of service condition or the
execution of arbitrary code. (CVE-2017-5472)

- A use-after-free error exists in the Reload() function
in nsDocShell.cpp that is triggered when using an
incorrect URL during the reload of a docshell. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-7749)

- A use-after-free error exists in the Hide() function in
nsDocumentViewer.cpp that is triggered when handling
track elements. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2017-7750)

- A use-after-free error exists in the nsDocumentViewer
class in nsDocumentViewer.cpp that is triggered when
handling content viewer listeners. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2017-7751)

- A use-after-free error exists that is triggered when
handling events while specific user interaction occurs
with the input method editor (IME). An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2017-7752)

- An out-of-bounds read error exists in the IsComplete()
function in WebGLTexture.cpp that is triggered when
handling textures. An unauthenticated, remote attacker
can exploit this to disclose memory contents.
(CVE-2017-7754)

- A privilege escalation vulnerability exists due to
improper loading of dynamic-link library (DLL) files. A
local attacker can exploit this, via a specially crafted
DLL file in the installation path, to inject and execute
arbitrary code. (CVE-2017-7755)

- A use-after-free error exists in the SetRequestHead()
function in XMLHttpRequestMainThread.cpp that is
triggered when logging XML HTTP Requests (XHR). An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-7756)

- A use-after-free error exists in ActorsParent.cpp due to
improper handling of objects in memory. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-7757)

- An out-of-bounds read error exists in the
AppendAudioSegment() function in TrackEncoder.cpp that
is triggered when the number of channels in an audio
stream changes while the Opus encoder is in use. An
unauthenticated, remote attacker can exploit this to
disclose sensitive information. (CVE-2017-7758)

- A flaw exists in the isLabelSafe() function in
nsIDNService.cpp that is triggered when handling
characters from different unicode blocks. An
unauthenticated, remote attacker can exploit this, via a
specially crafted IDN domain, to spoof a valid URL and
conduct phishing attacks. (CVE-2017-7764)

- A flaw exists that is triggered due to improper parsing
of long filenames when handling downloaded files. An
unauthenticated, remote attacker can exploit this to
cause a file to be downloaded without the
'mark-of-the-web' applied, resulting in security
warnings for executables not being displayed.
(CVE-2017-7765)

- An out-of-bounds read error exists in the Graphite
component in the readPass() function in Pass.cpp. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the disclosure of
memory contents. (CVE-2017-7771)

- Multiple integer overflow conditions exist in the
Graphite component in the decompress() function in
Decompressor.cpp due to improper validation of
user-supplied input. An unauthenticated, remote attacker
can exploit this to cause a denial of service condition
or the execution of arbitrary code. (CVE-2017-7772,
CVE-2017-7773, CVE-2017-7778)

- An out-of-bounds read error exists in the Graphite
component in the readGraphite() function in Silf.cpp. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or disclose memory
contents. (CVE-2017-7774)

- An assertion flaw exists in the Graphite component when
handling zero value sizes. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition. (CVE-2017-7775)

- An out-of-bounds read error exists in the Graphite
component in getClassGlyph() function in Silf.cpp due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition. (CVE-2017-7776)

- A flaw exists in the Graphite component in the
read_glyph() function in GlyphCache.cpp related to use
of uninitialized memory. An unauthenticated, remote
attacker can exploit this to have an unspecified impact.
(CVE-2017-7777)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/
https://bugzilla.mozilla.org/show_bug.cgi?id=1365602
https://bugzilla.mozilla.org/show_bug.cgi?id=1355039
https://bugzilla.mozilla.org/show_bug.cgi?id=1356558
https://bugzilla.mozilla.org/show_bug.cgi?id=1363396
https://bugzilla.mozilla.org/show_bug.cgi?id=1361326
https://bugzilla.mozilla.org/show_bug.cgi?id=1359547
https://bugzilla.mozilla.org/show_bug.cgi?id=1357090
https://bugzilla.mozilla.org/show_bug.cgi?id=1366595
https://bugzilla.mozilla.org/show_bug.cgi?id=1356824
https://bugzilla.mozilla.org/show_bug.cgi?id=1368490
https://bugzilla.mozilla.org/show_bug.cgi?id=1360309
https://bugzilla.mozilla.org/show_bug.cgi?id=1364283
https://bugzilla.mozilla.org/show_bug.cgi?id=1273265

Solution :

Upgrade to Mozilla Thunderbird version 52.2 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false