SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Mozilla Thunderbird Vendors:   Mozilla.org
Mozilla Thunderbird Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Files
SecurityTracker Alert ID:  1028887
SecurityTracker URL:  http://securitytracker.com/id/1028887
CVE Reference:   CVE-2013-1701, CVE-2013-1702, CVE-2013-1706, CVE-2013-1707, CVE-2013-1709, CVE-2013-1710, CVE-2013-1712, CVE-2013-1713, CVE-2013-1714, CVE-2013-1717   (Links to External Site)
Date:  Aug 6 2013
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 17.0.8
Description:   Multiple vulnerabilities were reported in Mozilla Thunderbird. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can conduct cross-site scripting attacks. A local user can obtain elevated privileges. A local user can obtain files.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a memory corruption error and execute arbitrary code on the target system [CVE-2013-1701, CVE-2013-1702]. The code will run with the privileges of the target user.

A stack overflow in in the Maintenance Service [CVE-2013-1706] and the Mozilla Updater [CVE-2013-1707] may occur.

A remote user can cause the browser to set the document's URI to a different URI to conduct cross-site scripting attacks [CVE-2013-1709].

A remote user can conduct cross-site scripting attacks or execute arbitrary code when a Certificate Request Message Format (CRMF) request is generated in certain situations [CVE-2013-1710].

The Mozilla Updater on Windows 7 and later versions of Windows may load a local user supplied DLL file from the local system and run the DLL with elevated privileges [CVE-2013-1712].

The software may not properly validate uniform resource identifiers (URIs), which may allow same-origin policy bypass and cross-site scripting attacks [CVE-2013-1713].

A web worker can bypass same-origin policy and cross-origin checks via XMLHttpRequest to conduct cross-site scripting attacks [CVE-2013-1714].

Java applets running on the local system may be able to gain read access to files on the system [CVE-2013-1717].

Jeff Gilbert, Henrik Skupin, Ben Turner, Christian Holler, Andrew McCreight, Gary Kwong, Jan Varga, Jesse Ruderman, Seb Patane, moz_bug_r_a4, Ash, Cody Crews, Federico Lanusse, Georgi Guninski, and John Schoenick reported these vulnerabilities.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can conduct cross-site scripting attacks.

A local user can obtain elevated privileges.

A local user can obtain files.

Solution:   The vendor has issued a fix (ESR 17.0.8; 17.0.8).

The vendor's advisory is available at:

http://www.mozilla.org/security/announce/2013/mfsa2013-63.html
http://www.mozilla.org/security/announce/2013/mfsa2013-66.html
http://www.mozilla.org/security/announce/2013/mfsa2013-68.html
http://www.mozilla.org/security/announce/2013/mfsa2013-69.html
http://www.mozilla.org/security/announce/2013/mfsa2013-71.html
http://www.mozilla.org/security/announce/2013/mfsa2013-72.html
http://www.mozilla.org/security/announce/2013/mfsa2013-73.html
http://www.mozilla.org/security/announce/2013/mfsa2013-75.html

Vendor URL:  www.mozilla.org/security/announce/2013/mfsa2013-63.html (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 7 2013 (Red Hat Issues Fix) Mozilla Thunderbird Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Files
Red Hat has issued a fix for Red Hat Enterprise Linux 5 and 6.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC