Mozilla Thunderbird < 52.1 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains a mail client that is affected by
multiple vulnerabilities.

Description :

The version of Mozilla Thunderbird installed on the remote Windows
host is prior to 52.1 It is, therefore, affected by multiple
vulnerabilities :

- Multiple flaws exist in the Libevent library, within
files evdns.c and evutil.c, due to improper validation
of input when handling IP address strings, empty base
name strings, and DNS packets. An unauthenticated,
remote attacker can exploit these to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2016-10195, CVE-2016-10196, CVE-2016-10197)

- Multiple memory corruption issues exist that allow an
unauthenticated, remote attacker to execute arbitrary
code. (CVE-2017-5429, CVE-2017-5430)

- A use-after-free error exists in input text selection
that allows an unauthenticated, remote attacker to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-5432)

- A use-after-free error exists in the SMIL animation
functions when handling animation elements. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-5433)

- A use-after-free error exists when redirecting focus
handling that allows an unauthenticated, remote attacker
to cause a denial of service condition or the execution
of arbitrary code. (CVE-2017-5434)

- A use-after-free error exists in design mode
interactions when handling transaction processing in
the editor. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2017-5435)

- An out-of-bounds write error exists in the Graphite 2
library when handling specially crafted Graphite fonts.
An unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-5436)

- A use-after-free error exists in the nsAutoPtr()
function during XSLT processing due to the result
handler being held by a freed handler. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-5438)

- A use-after-free error exists in the Length() function
in nsTArray when handling template parameters during
XSLT processing. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2017-5439)

- A use-after-free error exists in the txExecutionState
destructor when processing XSLT content. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-5440)

- A use-after-free error exists when holding a selection
during scroll events. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition or the execution of arbitrary code.
(CVE-2017-5441)

- A use-after-free error exists when changing styles in
DOM elements that allows an unauthenticated, remote
attacker to cause a denial of service condition or the
execution of arbitrary code. (CVE-2017-5442)

- An out-of-bounds write error exists while decoding
improperly formed BinHex format archives that allows an
unauthenticated, remote attacker to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2017-5443)

- A buffer overflow condition exists while parsing
application/http-index-format format content due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this, via
improperly formatted data, to disclose out-of-bounds
memory content. (CVE-2017-5444)

- A flaw exists in nsDirIndexParser.cpp when parsing
application/http-index-format format content in which
uninitialized values are used to create an array. An
unauthenticated, remote attacker can exploit this to
disclose memory contents. (CVE-2017-5445)

- An out-of-bounds read error exists when handling HTTP/2
DATA connections to a server that sends DATA frames with
incorrect content. An unauthenticated, remote attacker
can exploit to cause a denial of service condition or
the disclosure of memory contents. (CVE-2017-5446)

- An out-of-bounds read error exists when processing glyph
widths during text layout. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition or the disclosure of memory contents.
(CVE-2017-5447)

- A flaw exists when handling bidirectional Unicode text
in conjunction with CSS animations that allows an
unauthenticated, remote attacker to cause a denial of
service condition or the execution or arbitrary code.
(CVE-2017-5449)

- A flaw exists in the handling of specially crafted
'onblur' events. An unauthenticated, remote attacker can
exploit this, via a specially crafted event, to spoof
the address bar, making the loaded site appear to be
different from the one actually loaded. (CVE-2017-5451)

- A flaw exists in the FileSystemSecurity::Forget()
function within file FileSystemSecurity.cpp when using
the File Picker due to improper sanitization of input
containing path traversal sequences. An unauthenticated,
remote attacker can exploit this to bypass file system
access protections in the sandbox and read arbitrary
files on the local file system. (CVE-2017-5454)

- A buffer overflow condition exists in WebGL when
handling web content due to improper validation of
certain input. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2017-5459)

- A use-after-free error exists in frame selection when
handling a specially crafted combination of script
content and key presses by the user. An unauthenticated,
remote attacker can exploit this to cause a denial of
service condition or the execution of arbitrary code.
(CVE-2017-5460)

- An out-of-bounds write error exists in the Network
Security Services (NSS) library during Base64 decoding
operations due to insufficient memory being allocated to
a buffer. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition or
the execution of arbitrary code. (CVE-2017-5461)

- A flaw exists in the Network Security Services (NSS)
library during DRBG number generation due to the
internal state V not correctly carrying bits over. An
unauthenticated, remote attacker can exploit this to
potentially cause predictable random number generation.
(CVE-2017-5462)

- A flaw exists when making changes to DOM content in the
accessibility tree due to improper validation of certain
input, which can lead to the DOM tree becoming out of
sync with the accessibility tree. An unauthenticated,
remote attacker can exploit this to corrupt memory,
resulting in a denial of service condition or the
execution of arbitrary code. (CVE-2017-5464)

- An out-of-bounds read error exists in ConvolvePixel when
processing SVG content, which allows for otherwise
inaccessible memory being copied into SVG graphic
content. An unauthenticated, remote attacker can exploit
this to disclose memory contents or cause a denial of
service condition. (CVE-2017-5465)

- A cross-site scripting (XSS) vulnerability exists due to
improper handling of data:text/html URL redirects when
a reload is triggered, which causes the reloaded
data:text/html page to have its origin set incorrectly.
An unauthenticated, remote attacker can exploit this,
via a specially crafted request, to execute arbitrary
script code in a user's browser session. (CVE-2017-5466)

- A memory corruption issue exists when rendering Skia
content outside of the bounds of a clipping region due
to improper validation of certain input. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-5467)

- A buffer overflow condition exists in the FLEX generated
code due to improper validation of user-supplied input.
An unauthenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2017-5469)

See also :

https://www.mozilla.org/en-US/security/advisories/mfsa2017-13/
https://bugzilla.mozilla.org/show_bug.cgi?id=1122305
https://bugzilla.mozilla.org/show_bug.cgi?id=1350683
https://bugzilla.mozilla.org/show_bug.cgi?id=1345461
https://bugzilla.mozilla.org/show_bug.cgi?id=1344380
https://bugzilla.mozilla.org/show_bug.cgi?id=1333858
https://bugzilla.mozilla.org/show_bug.cgi?id=1353975
https://bugzilla.mozilla.org/show_bug.cgi?id=1349946
https://bugzilla.mozilla.org/show_bug.cgi?id=1346654
https://bugzilla.mozilla.org/show_bug.cgi?id=1343642
https://bugzilla.mozilla.org/show_bug.cgi?id=1336828
https://bugzilla.mozilla.org/show_bug.cgi?id=1336830
https://bugzilla.mozilla.org/show_bug.cgi?id=1336832
https://bugzilla.mozilla.org/show_bug.cgi?id=1343795
https://bugzilla.mozilla.org/show_bug.cgi?id=1347979
https://bugzilla.mozilla.org/show_bug.cgi?id=1347075
https://bugzilla.mozilla.org/show_bug.cgi?id=1342661
https://bugzilla.mozilla.org/show_bug.cgi?id=1344461
https://bugzilla.mozilla.org/show_bug.cgi?id=1343505
https://bugzilla.mozilla.org/show_bug.cgi?id=1343552
https://bugzilla.mozilla.org/show_bug.cgi?id=1347617
https://bugzilla.mozilla.org/show_bug.cgi?id=1349276
https://bugzilla.mozilla.org/show_bug.cgi?id=1292534
https://bugzilla.mozilla.org/show_bug.cgi?id=1344467
https://bugzilla.mozilla.org/show_bug.cgi?id=1340127
https://bugzilla.mozilla.org/show_bug.cgi?id=1273537
https://bugzilla.mozilla.org/show_bug.cgi?id=1345089
https://bugzilla.mozilla.org/show_bug.cgi?id=1347262

Solution :

Upgrade to Mozilla Thunderbird version 52.1 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.7
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true