Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : thunderbird vulnerabilities (USN-2428-1)

Ubuntu Security Notice (C) 2014-2016 Canonical, Inc. / NASL script (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max
Jonas Werner discovered multiple memory safety issues in Thunderbird.
If a user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit these to
cause a denial of service via application crash, or execute arbitrary
code with the privileges of the user invoking Thunderbird.
(CVE-2014-1587)

Joe Vennix discovered a crash when using XMLHttpRequest in some
circumstances. If a user were tricked in to opening a specially
crafted message with scripting enabled, an attacker could potentially
exploit this to cause a denial of service. (CVE-2014-1590)

Berend-Jan Wever discovered a use-after-free during HTML parsing. If a
user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to cause
a denial of service via application crash or execute arbitrary code
with the privileges of the user invoking Thunderbird. (CVE-2014-1592)

Abhishek Arya discovered a buffer overflow when parsing media content.
If a user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to cause
a denial of service via application crash or execute arbitrary code
with the privileges of the user invoking Thunderbird. (CVE-2014-1593)

Byoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in
the compositor. If a user were tricked in to opening a specially
crafted message, an attacker could potentially exploit this to cause
undefined behaviour, a denial of service via application crash or
execute arbitrary code with the privileges of the user invoking
Thunderbird. (CVE-2014-1594).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected thunderbird package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 79716 ()

Bugtraq ID: 71391
71395
71396
71397
71398

CVE ID: CVE-2014-1587
CVE-2014-1590
CVE-2014-1592
CVE-2014-1593
CVE-2014-1594

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now