Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Mozilla Thunderbird Multiple Bugs Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016588 |
|
SecurityTracker URL: http://securitytracker.com/id/1016588
|
|
CVE Reference:
CVE-2006-3113, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811
(Links to External Site)
|
Date: Jul 27 2006
|
Impact:
Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.5.0.4 and prior versions
|
Description:
Several vulnerabilities were reported in Mozilla Thunderbird. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can execute arbitrary scripting code in the context of an arbitrary domain.
A remote user can create a specially crafted HTML that, when loaded by the target user, will cause the target user's application to crash or execute arbitrary code. The code will run with the privileges of the target user.
A flaw in the processing of simultaneously XPCOM events may cause a deleted timer object to be used, causing the browser to crash or execute arbitrary code [MFSA 2006-46; CVE-2006-3113]. Thunderbird is affected if Javascript is enabled in mail. Secunia Research discovered this vulnerability.
The browser may not properly clear a JavaScript reference to a frame or window when the referenced content is deleted, allowing native code to be executed [MFSA 2006-44; CVE-2006-3801]. Thunderbird is affected if Javascript is enabled in mail. Thilo Girmann discovered this vulnerability.
A web page can hijack native DOM methods on a target document object in a different domain to cause arbitrary scripting code to run in the target domain [MFSA 2006-47; CVE-2006-3802]. Thunderbird is affected if Javascript is enabled. Thor Larholm discovered this vulnerability.
A script can redefine the standard Object() constructor of a named Javascript function to return a reference to a privileged target object, allowing the script to execute with elevated privileges [MFSA 2006-51; CVE-2006-3807]. Thunderbird is affected if Javascript is enabled. moz_bug_r_a4 discovered this vulnerability.
A race condition in Javascript garbage collection may cause a temporary variable to be deleted while still being used to create a new Function object [MFSA 2006-48; CVE-2006-3803]. This may allow a remote user to execute arbitrary code. Thunderbird is affected if Javascript is enabled. H. D. Moore discovered this vulnerability.
A VCard attachment with a specially crafted base64 field (such as a photo) can trigger a heap buffer overwrite [MFSA 2006-49; CVE-2006-3804]. Mozilla developer Daniel Veditz discovered this vulnerability.
Some garbage collection functions may delete temporary objects that are still in use, which may allow a remote user to execute arbitrary code [MFSA 2006-50; CVE-2006-3805]. Thunderbird is affected if Javascript is enabled. Mozilla developers Igor Bukanov and shutdown discovered this vulnerability.
Some integer overflows can be triggered by long strings in the toSource() methods of the Object, Array, and String objects and string function arguments [MFSA 2006-50; CVE-2006-3806]. Thunderbird is affected if Javascript is enabled. Mozilla developer Georgi Guninski discovered this vulnerability.
A Proxy AutoConfig (PAC) server can send a specially crafted PAC script that sets the required FindProxyForURL function to the eval method on a privileged object that has leaked into the PAC sandbox to execute code with elevated privileges [MFSA 2006-52; CVE-2006-3808]. moz_bug_r_a4 discovered this vulnerability.
A script that has been granted the UniversalBrowserRead privilege can gain UniversalXPConnect privileges [MFSA 2006-53; CVE-2006-3809]. Thunderbird is affected if Javascript is enabled. Mozilla developer shutdown reported this vulnerability.
A remote user can invoke XPCNativeWrapper(window).Function(...) to create a function that can execute in a target window, permitting cross-site scripting attacks [MFSA 2006-54; CVE-2006-3810]. Thunderbird is affected if Javascript is enabled. Mozilla developer shutdown reported this vulnerability.
A remote user can trigger any of several memory corruption errors, causing the target user's browser to crash or potentially execute arbitrary code [MFSA 2006-55; CVE-2006-3811]. Mozilla developers Boris Zbarsky, Darin Fisher, Daniel Veditz, Jesse Ruderman, and Martijn Wargers discovered these vulnerabilities.
|
Impact:
A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
A remote user can execute arbitrary scripting code in the context of an arbitrary domain.
|
Solution:
The vendor has issued a fixed version (1.5.0.5).
The Mozilla advisories are available at:
http://www.mozilla.org/security/announce/2006/mfsa2006-44.html
http://www.mozilla.org/security/announce/2006/mfsa2006-46.html
http://www.mozilla.org/security/announce/2006/mfsa2006-47.html
http://www.mozilla.org/security/announce/2006/mfsa2006-48.html
http://www.mozilla.org/security/announce/2006/mfsa2006-49.html
http://www.mozilla.org/security/announce/2006/mfsa2006-50.html
http://www.mozilla.org/security/announce/2006/mfsa2006-51.html
http://www.mozilla.org/security/announce/2006/mfsa2006-52.html
http://www.mozilla.org/security/announce/2006/mfsa2006-53.html
http://www.mozilla.org/security/announce/2006/mfsa2006-54.html
http://www.mozilla.org/security/announce/2006/mfsa2006-55.html
|
Vendor URL: www.mozilla.com/thunderbird/ (Links to External Site)
|
Cause:
Access control error, Boundary error, State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 27 Jul 2006 01:35:52 -0400
Subject: Mozilla Thunderbird vulnerabilities
|
CVE-2006-3113, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812
MFSA 2006-56 chrome: scheme loading remote content CVE-2006-3812
MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5) CVE-2006-3811
MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...) CVE-2006-3810
MFSA 2006-53 UniversalBrowserRead privilege escalation CVE-2006-3809
MFSA 2006-52 PAC privilege escalation using Function.prototype.call CVE-2006-3808
MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()" CVE-2006-3807
MFSA 2006-50 JavaScript engine vulnerabilities CVE-2006-3805, CVE-2006-3806
MFSA 2006-49 Heap buffer overwrite on malformed VCard CVE-2006-3804
MFSA 2006-48 JavaScript new Function race condition CVE-2006-3803
MFSA 2006-47 Native DOM methods can be hijacked across domains CVE-2006-3802
MFSA 2006-46 Memory corruption with simultaneous events CVE-2006-3113
MFSA 2006-44 Code execution through deleted frame reference CVE-2006-3801
|
|
Go to the Top of This SecurityTracker Archive Page
|
