Mozilla Thunderbird < 16.0.1 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 6604

Synopsis

The remote host has an email client installed that is vulnerable to multiple attack vectors.

Description

Versions of Firefox prior to 16.0.1 are affected by the following security issues :

- Multiple memory-corruption vulnerabilities in the browser engine that could lead to arbitrary code execution. (CVE-2012-3982, CVE-2012-3983, CVE-2012-4191)
- A URI-spoofing vulnerability due to an error when handling the '&lt;select&gt;' dropdown menu. This issue can be exploited to display arbitrary content while showing the URL of another site. An attacker can also exploit this issue to cause click jacking attacks. (CVE-2012-3984, CVE-2012-5354)
- A security-bypass vulnerability exists because it fails to properly enforce the same-origin policy. Specifically, the error occurs when handling 'document.domain'. An attacker can exploit this issue to execute cross-site scripting attacks. (CVE-2012-3985)
- Multiple security bypass vulnerabilities exists in the 'nsDOMWindowUtils' methods. (CVE-2012-3986)
- A cross-site scripting vulnerability exists because it fails to sufficiently sanitize user-supplied input. Specifically, this issue occurs when transitioning into Reader Mode. Note: This issue affects only Firefox for Android. CVE-2012-3987)
- A use-after-free issue occurs when invoking full screen mode and navigating backwards in history. (CVE-2012-3988)
- A denial-of-service vulnerability that occurs due to invalid cast error. Specifically, this issue occurs when using the instanceof operator on certain JavaScript objects. (CVE-2012-3989)
- A security-bypass vulnerability exists because it fails to properly enforce the cross-origin policy. Specifically, this issue occurs when invoking the 'GetProperty()' function through JSAPI. An attacker can exploit this issue to perform arbitrary code-execution. (CVE-2012-3991)
- A cross-site scripting vulnerability exists because it fails to sufficiently sanitize user-supplied input. Specifically, this issue occurs when handling the 'location' property through binary plugins. (CVE-2012-3994)
- A security-bypass vulnerability exists because of an error in the Chrome Object Wrapper (COW) when handling the 'InstallTrigger' object. An attacker can exploit this issue to access certain privileged functions and properties. (CVE-2012-4184, CVE-2012-3993)
- An arbitrary code-execution occurs when handling the 'location.hash' property and history navigation. (CVE-2012-3992)
- An out-of-bounds read error affects the 'IsCSSWordSpacingSpace()' function. (CVE-2012-3995)
- A use-after-free error affects the 'nsHTMLCSSUtils::CreateCSSPropertyTxn()' function. (CVE-2012-4179)
- A heap-based buffer-overflow vulnerability exists in the 'nsHTMLEditor::IsPrevCharInNodeWhitespace()' function. (CVE-2012-4180)
- A use-after-free error affects the 'nsSMILAnimationController::DoSample()' function. (CVE-2012-4181)
- A use-after-free error affects the 'nsTextEditRules::WillInsert()' function. (CVE-2012-4182)
- A use-after-free error affects the 'DOMSVGTests::GetRequiredFeatures()' function. (CVE-2012-4183)
- A buffer-overflow vulnerability exists in the 'nsCharTraits::length()' function. (CVE-2012-4185)
- A heap-based buffer-overflow vulnerability exists in the 'nsWaveReader::DecodeAudioData()' function. (CVE-2012-4186)
- A memory-corruption vulnerability exists in the 'insPos' property. (CVE-2012-4187)
- A heap-based buffer-overflow exists in the 'Convolve3x3()' function. (CVE-2012-4188)
- A use-after-free error affects the 'nsIContent::GetNameSpaceID()' function. (CVE-2012-3990)
- A cross domain information disclosure exists due to improper access to the 'location' object. (CVE-2012-4192)
- A security-bypass vulnerability exists due to an error in security wrappers does not unwrap the 'defaultValue()' function properly. An attacker can exploit this issue to gain access to the 'location' object. (CVE-2012-4193)
These vulnerabilities allow attackers to execute arbitrary script or HTML code, steal cookie-based authentication credentials, conduct phishing attacks, execute arbitrary code in the context of the vulnerable application, crash affected applications, obtain potentially sensitive information, gain escalated privileges, bypass security restrictions, and perform unauthorized actions; other attacks may also be possible.

Solution

Upgrade to Thunderbird 16.0.1 or later.

See Also

http://www.mozilla.org/security/announce/2012/mfsa2012-74.html

http://www.mozilla.org/security/announce/2012/mfsa2012-75.html

http://www.mozilla.org/security/announce/2012/mfsa2012-76.html

http://www.mozilla.org/security/announce/2012/mfsa2012-77.html

http://www.mozilla.org/security/announce/2012/mfsa2012-78.html

http://www.mozilla.org/security/announce/2012/mfsa2012-79.html

http://www.mozilla.org/security/announce/2012/mfsa2012-80.html

http://www.mozilla.org/security/announce/2012/mfsa2012-81.html

http://www.mozilla.org/security/announce/2012/mfsa2012-82.html

http://www.mozilla.org/security/announce/2012/mfsa2012-83.html

http://www.mozilla.org/security/announce/2012/mfsa2012-84.html

http://www.mozilla.org/security/announce/2012/mfsa2012-85.html

http://www.mozilla.org/security/announce/2012/mfsa2012-86.html

http://www.mozilla.org/security/announce/2012/mfsa2012-87.html

Plugin Details

Severity: High

ID: 6604

File Name: 6604.prm

Family: SMTP Clients

Published: 2012/10/16

Modified: 2016/03/17

Dependencies: 5558

Nessus ID: 62582

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:thunderbird

Patch Publication Date: 2012/10/12

Vulnerability Publication Date: 2012/10/10

Exploitable With

Metasploit (Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution)

Reference Information

CVE: CVE-2012-3982, CVE-2012-3983, CVE-2012-3984, CVE-2012-3985, CVE-2012-3986, CVE-2012-3987, CVE-2012-3988, CVE-2012-3989, CVE-2012-3990, CVE-2012-3991, CVE-2012-3992, CVE-2012-3993, CVE-2012-3994, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180, CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4184, CVE-2012-4185, CVE-2012-4186, CVE-2012-4187, CVE-2012-4188, CVE-2012-4191, CVE-2012-4192, CVE-2012-4193, CVE-2012-5354

BID: 55856, 55857, 55889, 55922, 55924, 55926, 55927, 55929, 55930, 55931, 55932, 56119, 56120, 56121, 56123, 56125, 56126, 56127, 56128, 56129, 56130, 56131, 56135, 56136, 56140, 56145, 56153, 56154, 56155, 57181

OSVDB: 86094, 86095, 86096, 86097, 86098, 86099, 86100, 86101, 86102, 86103, 86104, 86105, 86106, 86108, 86109, 86110, 86111, 86112, 86113, 86114, 86115, 86116, 86117, 86171