Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : thunderbird vulnerabilities (USN-3165-1)

Ubuntu Security Notice (C) 2017 Canonical, Inc. / NASL script (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Multiple memory safety issues were discovered in Thunderbird. If a
user were tricked in to opening a specially crafted message, an
attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-9893,
CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on <marquee> elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some
circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2016-9897)

A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-9898)

A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-9899)

It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs.
An attacker could potentially exploit this to obtain sensitive
information. (CVE-2016-9900)

Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit
this to obtain sensitive information across domains. (CVE-2016-9904)

A crash was discovered in EnumerateSubDocuments while adding or
removing sub-documents. If a user were tricked in to opening a
specially crafted website in a browsing context, an attacker could
potentially exploit this to execute arbitrary code. (CVE-2016-9905)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5375)

Nicolas Gregoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to
opening a specially crafted website in a browsing context, an attacker
could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2017-5376)

Jann Horn discovered that an object's address could be discovered
through hashed codes of JavaScript objects shared between pages. If a
user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to obtain
sensitive information. (CVE-2017-5378)

A use-after-free was discovered during DOM manipulation of SVG content
in some circumstances. If a user were tricked in to opening a
specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5380)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to spoof the URL bar contents. (CVE-2017-5383)

Jerri Rice discovered insecure communication methods in the Dev Tools
JSON Viewer. An attacker could potentially exploit this to gain
additional privileges. (CVE-2017-5390)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5396).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected thunderbird package.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now