Mozilla Thunderbird < 52.2 Multiple Vulnerabilities (macOS)

High Nessus Plugin ID 101771

Synopsis

The remote macOS or Mac OS X host contains a mail client that is affected by multiple vulnerabilities.

Description

The version of Mozilla Thunderbird installed on the remote Windows host is prior to 52.2. It is, therefore, affected by multiple vulnerabilities :

 - Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470)

 - A use-after-free error exists in the EndUpdate() function in nsCSSFrameConstructor.cpp that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472)

 - A use-after-free error exists in the Reload() function in nsDocShell.cpp that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749)

 - A use-after-free error exists in the Hide() function in nsDocumentViewer.cpp that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750)

 - A use-after-free error exists in the nsDocumentViewer class in nsDocumentViewer.cpp that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.
 (CVE-2017-7751)

 - A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.
 (CVE-2017-7752)

 - An out-of-bounds read error exists in the IsComplete() function in WebGLTexture.cpp that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents.
 (CVE-2017-7754)

 - A use-after-free error exists in the SetRequestHead() function in XMLHttpRequestMainThread.cpp that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756)

 - A use-after-free error exists in ActorsParent.cpp due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757)

 - An out-of-bounds read error exists in the AppendAudioSegment() function in TrackEncoder.cpp that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758)

 - A flaw exists in the ReadCMAP() function in gfxMacPlatformFontList.mm that is triggered when handling tibetan characters in combination with macOS fonts. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL. (CVE-2017-7763)

 - A flaw exists in the isLabelSafe() function in nsIDNService.cpp that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764)

 - An out-of-bounds read error exists in the Graphite component in the readPass() function in Pass.cpp. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2017-7771)

 - Multiple integer overflow conditions exist in the Graphite component in the decompress() function in Decompressor.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7772, CVE-2017-7773, CVE-2017-7778)

 - An out-of-bounds read error exists in the Graphite component in the readGraphite() function in Silf.cpp. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2017-7774)

 - An assertion flaw exists in the Graphite component when handling zero value sizes. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7775)

 - An out-of-bounds read error exists in the Graphite component in getClassGlyph() function in Silf.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7776)

 - A flaw exists in the Graphite component in the read_glyph() function in GlyphCache.cpp related to use of uninitialized memory. An unauthenticated, remote attacker can exploit this to have an unspecified impact.
 (CVE-2017-7777)

Solution

Upgrade to Mozilla Thunderbird version 52.2 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/

https://bugzilla.mozilla.org/show_bug.cgi?id=1365602

https://bugzilla.mozilla.org/show_bug.cgi?id=1355039

https://bugzilla.mozilla.org/show_bug.cgi?id=1356558

https://bugzilla.mozilla.org/show_bug.cgi?id=1363396

https://bugzilla.mozilla.org/show_bug.cgi?id=1361326

https://bugzilla.mozilla.org/show_bug.cgi?id=1359547

https://bugzilla.mozilla.org/show_bug.cgi?id=1357090

https://bugzilla.mozilla.org/show_bug.cgi?id=1366595

https://bugzilla.mozilla.org/show_bug.cgi?id=1356824

https://bugzilla.mozilla.org/show_bug.cgi?id=1368490

https://bugzilla.mozilla.org/show_bug.cgi?id=1360309

https://bugzilla.mozilla.org/show_bug.cgi?id=1364283

https://bugzilla.mozilla.org/show_bug.cgi?id=1273265

Plugin Details

Severity: High

ID: 101771

File Name: macosx_thunderbird_52_2.nasl

Version: 1.5

Type: local

Agent: macosx

Published: 2017/07/17

Updated: 2018/07/14

Dependencies: 56557

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:thunderbird

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/06/14

Vulnerability Publication Date: 2017/06/14

Reference Information

CVE: CVE-2017-5470, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7763, CVE-2017-7764, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7775, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778

BID: 99041

MFSA: 2017-17