Mozilla Thunderbird < 31.5 Multiple Vulnerabilities

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a mail client that is affected by
multiple vulnerabilities.

Description :

The version of Thunderbird installed on the remote Windows host is
prior to 31.5. It is, therefore, affected by the following
vulnerabilities :

- An information disclosure vulnerability exists related
to the autocomplete feature that allows an attacker to
read arbitrary files. (CVE-2015-0822)

- An out-of-bounds read and write issue exists when
processing invalid SVG graphic files. This allows an
attacker to disclose sensitive information.
(CVE-2015-0827)

- A use-after-free issue exists when running specific web
content with 'IndexedDB' to create an index, resulting
in a denial of service condition or arbitrary code
execution. (CVE-2015-0831)

- An issue exists in the Mozilla updater in which DLL
files in the current working directory or Windows
temporary directories will be loaded, allowing the
execution of arbitrary code. Note that hosts are only
affected if the updater is not run by the Mozilla
Maintenance Service. (CVE-2015-0833)

- Multiple unspecified memory safety issues exist within
the browser engine. (CVE-2015-0835, CVE-2015-0836)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2015-11/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-12/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-16/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-19/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-24/

Solution :

Upgrade to Thunderbird 31.5 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now