Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Mozilla Thunderbird < 31.2 Multiple Vulnerabilities

High

Synopsis

The remote host has an email client installed that is vulnerable to multiple attack vectors.

Description

Versions of Mozilla Thunderbird prior to 31.2 are prone to the following vulnerabilities :

- Buffer overflow vulnerability exists when capitalization style changes occur during CSS parsing. (CVE-2014-1576) - Out-of-bounds read error exists in the Web Audio component when invalid values are used in custom waveforms, which can lead to a denial of service or information disclosure. (CVE-2014-1577) - Out-of-bounds write error when processing invalid tile sizes in 'WebM' format videos can be leveraged for arbitrary code execution. (CVE-2014-1578) - Use-after-free error in the 'DirectionalityUtils' component when text direction is used in the text layout can be leveraged for arbitrary code execution. (CVE-2014-1581) - Multiple security bypass vulnerabilities exist in the implementation of Public Key Pinning (PKP); one issue can be triggered via SPDY's or HTTP/2's connection-coalescing property in the case of a shared IP address, and another issue is exposed by an unspecified issuer-verification error. Both scenarios can be leveraged for man-in-the-middle attacks. Note that key pinning was introduced in Firefox 32. (CVE-2014-1582, CVE-2014-1584) - Multiple memory safety flaws exist within the browser engine, which can likely be leveraged for denial of service or arbitrary code execution. (CVE-2014-1574, CVE-2014-1575)

Solution

Upgrade to Thunderbird 31.2, or later.