Ubuntu 12.04 LTS / 14.04 LTS : thunderbird vulnerabilities (USN-2330-1)

Ubuntu Security Notice (C) 2014-2016 Canonical, Inc. / NASL script (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary
Kwong, Jesse Ruderman and JW Wang discovered multiple memory safety
issues in Thunderbird. If a user were tricked in to opening a
specially crafted message with scripting enabled, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user
invoking Thunderbird. (CVE-2014-1553, CVE-2014-1562)

Abhishek Arya discovered a use-after-free during DOM interactions with
SVG. If a user were tricked in to opening a specially crafted message
with scripting enabled, an attacker could potentially exploit this to
cause a denial of service via application crash or execute arbitrary
code with the privileges of the user invoking Thunderbird.
(CVE-2014-1563)

Michal Zalewski discovered that memory is not initialized properly
during GIF rendering in some circumstances. If a user were tricked in
to opening a specially crafted message, an attacker could potentially
exploit this to steal confidential information. (CVE-2014-1564)

Holger Fuhrmannek discovered an out-of-bounds read in Web Audio. If a
user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to cause
a denial of service via application crash or steal confidential
information. (CVE-2014-1565)

A use-after-free was discovered during text layout in some
circumstances. If a user were tricked in to opening a specially
crafted message with scripting enabled, an attacker could potentially
exploit this to cause a denial of service via application crash or
execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1567).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected thunderbird package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 77664 ()

Bugtraq ID: 69519
69520
69521
69523
69524
69525

CVE ID: CVE-2014-1553
CVE-2014-1562
CVE-2014-1563
CVE-2014-1564
CVE-2014-1565
CVE-2014-1567

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now