Ubuntu 11.10 : thunderbird vulnerabilities (USN-1343-1)

Ubuntu Security Notice (C) 2012-2016 Canonical, Inc. / NASL script (C) 2012-2016 Tenable Network Security, Inc.

Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Alexandre Poirot, Chris Blizzard, Kyle Huey, Scoobidiver, Christian
Holler, David Baron, Gary Kwong, Jim Blandy, Bob Clary, Jesse
Ruderman, Marcia Knous, and Rober Longson discovered several memory
safety issues which could possibly be exploited to crash Thunderbird
or execute arbitrary code as the user that invoked Thunderbird.

Aki Helin discovered a crash in the YARR regular expression library
that could be triggered by JavaScript in web content. (CVE-2011-3661)

It was discovered that a flaw in the Mozilla SVG implementation could
result in an out-of-bounds memory access if SVG elements were removed
during a DOMAttrModified event handler. An attacker could potentially
exploit this vulnerability to crash Thunderbird. (CVE-2011-3658)

Mario Heiderich discovered it was possible to use SVG animation
accessKey events to detect key strokes even when JavaScript was
disabled. A malicious web page could potentially exploit this to trick
a user into interacting with a prompt thinking it came from
Thunderbird in a context where the user believed scripting was
disabled. (CVE-2011-3663)

It was discovered that it was possible to crash Thunderbird when
scaling an OGG <video> element to extreme sizes. (CVE-2011-3665).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected thunderbird package.

Risk factor :

Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.3
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 57686 ()

Bugtraq ID: 51133

CVE ID: CVE-2011-3658

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now