Oracle Solaris Third-Party Patch Update : thunderbird (multiple_vulnerabilities_in_thunderbird6)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- Use-after-free vulnerability in Mozilla Firefox before
3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18
and 5.0 through 9.0, and SeaMonkey before 2.7 might
allow remote attackers to execute arbitrary code via
vectors related to incorrect AttributeChildRemoved
notifications that affect access to removed
nsDOMAttribute child nodes. (CVE-2011-3659)

- Multiple unspecified vulnerabilities in the browser
engine in Mozilla Firefox before 3.6.26 and 4.x through
9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and
SeaMonkey before 2.7 allow remote attackers to cause a
denial of service (memory corruption and application
crash) or possibly execute arbitrary code via unknown
vectors. (CVE-2012-0442)

- Multiple unspecified vulnerabilities in the browser
engine in Mozilla Firefox 4.x through 9.0, Thunderbird
5.0 through 9.0, and SeaMonkey before 2.7 allow remote
attackers to cause a denial of service (memory
corruption and application crash) or possibly execute
arbitrary code via unknown vectors. (CVE-2012-0443)

- Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through
9.0, and SeaMonkey before 2.7 allow remote attackers to
bypass the HTML5 frame-navigation policy and replace
arbitrary sub-frames by creating a form submission
target with a sub-frame's name attribute.
(CVE-2012-0445)

- Multiple cross-site scripting (XSS) vulnerabilities in
Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through
9.0, and SeaMonkey before 2.7 allow remote attackers to
inject arbitrary web script or HTML via a (1) web page
or (2) Firefox extension, related to improper
enforcement of XPConnect security restrictions for frame
scripts that call untrusted objects. (CVE-2012-0446)

- Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through
9.0, and SeaMonkey before 2.7 do not properly initialize
data for image/vnd.microsoft.icon images, which allows
remote attackers to obtain potentially sensitive
information by reading a PNG image that was created
through conversion from an ICO image. (CVE-2012-0447)

- Mozilla Firefox before 3.6.26 and 4.x through 9.0,
Thunderbird before 3.1.18 and 5.0 through 9.0, and
SeaMonkey before 2.7 allow remote attackers to cause a
denial of service (memory corruption and application
crash) or possibly execute arbitrary code via a
malformed XSLT stylesheet that is embedded in a
document. (CVE-2012-0449)

See also :

http://www.nessus.org/u?b5f8def1
http://www.nessus.org/u?ca5c8a65

Solution :

Upgrade to Solaris 11.1.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: Solaris Local Security Checks

Nessus Plugin ID: 80788 ()

Bugtraq ID:

CVE ID: CVE-2011-3659
CVE-2012-0442
CVE-2012-0443
CVE-2012-0445
CVE-2012-0446
CVE-2012-0447
CVE-2012-0449

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now