Mozilla Thunderbird < 13.0 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 6498

Synopsis

The remote host has an email client installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Thunderbird prior to 13.0 are affected by the following security issues :

- An error exists in the ASN.1 decoder when handling zero length items that can lead to application crashes. (CVE-2012-0441)
- Multiple memory corruption errors exist. (CVE-2012-1937, CVE-2012-1038)
- Two heap-based buffer overflows and one heap-based use-after-free error exist and are potentially exploitable. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)
- Two arbitrary DLL load issues exist related to the application update and update service functionality. (CVE-2012-1942, CVE-2012-1943)
- The inline-script blocking feature of the 'Content Security Policy' (CSP) does not properly block inline event handlers. This error allows remote attackers to more easily carry out cross-site scripting attacks. (CVE-2012-1944)
- A use-after-free error exists related to replacing or inserting a node into a web document. (CVE-2012-1946)

Solution

Upgrade to Thunderbird 13.0 or later.

See Also

http://www.mozilla.org/security/announce/2012/mfsa2012-34.html

http://www.mozilla.org/security/announce/2012/mfsa2012-35.html

http://www.mozilla.org/security/announce/2012/mfsa2012-36.html

http://www.mozilla.org/security/announce/2012/mfsa2012-38.html

http://www.mozilla.org/security/announce/2012/mfsa2012-39.html

http://www.mozilla.org/security/announce/2012/mfsa2012-40.html

Plugin Details

Severity: High

ID: 6498

File Name: 6498.prm

Family: SMTP Clients

Published: 2012/06/07

Modified: 2017/02/02

Dependencies: 5558

Nessus ID: 59405, 59409

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:thunderbird

Patch Publication Date: 2012/06/05

Vulnerability Publication Date: 2012/06/05

Reference Information

CVE: CVE-2012-0441, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1942, CVE-2012-1943, CVE-2012-1944, CVE-2012-1945, CVE-2012-1946, CVE-2012-1947

BID: 53791, 53792, 53793, 53794, 53796, 53797, 53798, 53799, 53800, 53801, 53803, 53807

IAVA: 2012-A-0189