Mozilla Didn't Forget Thunderbird, Updated it As Well
Three updates were released by the Mozilla Foundation yesterday, the 1st of March, the 1st day of spring. The Mozilla Foundation released Firefox 3.6.14 and Firefox 3.5.17 to fix multiple stability and security issues. The Mozilla Foundation also released Thunderbird 3.1.8, to address some stability and security issues as well.
"An update for Thunderbird 3.1.8 is now available for Windows, Mac, and Linux for free download from www.GetThunderbird.com/. This release makes several improvements to Thunderbird’s performance, stability, and security. Thunderbird 3.0.11 was the last security and stability update for Thunderbird 3.0.x. Thunderbird 3.0.x users will be prompted and encouraged to start using Thunderbird 3.1," announced Mozilla Messaging’s Mark Banner.
Firefox 3.6.4 and Firefox 3.5.17 came accompanied by a grand total of 10 security advisories, out of which 1 was rated moderate, 1 was rated high, and 8 were rated critical. Thunderbird 3.1.8 didn’t come accompanied by so many security advisories as Firefox; it came accompanied by 3 security advisories, 1 rated moderate and 2 rated critical.
I’ve said it before and I am going to say it again. The critical rating is given to vulnerabilities that could be exploited by someone with malicious intent to run attacker code and install software on a targeted machine with no interaction from the user, beyond normal browsing of course.
If you’re interested to learn more about the advisories that accompany Thunderbird 3.1.8, here are the details Mozilla made public:
Title: MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
Rating: Critical.
Description: Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Affected software: Firefox, Thunderbird, SeaMonkey.
Credit: Mozilla developers and community.
Title: MFSA 2011-09 Crash caused by corrupted JPEG image
Rating: Critical.
Description: A JPEG image could be constructed that would be decoded incorrectly, causing data to be written past the end of a buffer created to store the image. An attacker could potentially craft such an image that would cause malicious code to be stored in memory and then later executed on a victim's computer.
Affected software: Firefox, Thunderbird, SeaMonkey.
Credit: Jordi Chancel.
Title: MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome
Rating: Moderate.
Description: ParanoidFragmentSink, a class used to sanitize potentially unsafe HTML for display, allows javascript: URLs and other inline JavaScript when the embedding document is a chrome document. While there are no unsafe uses of this class in any released products, extension code could have potentially used it in an unsafe manner.
Affected software: Firefox, Thunderbird, SeaMonkey.
Credit: Roberto Suggi Liverani.
"An update for Thunderbird 3.1.8 is now available for Windows, Mac, and Linux for free download from www.GetThunderbird.com/. This release makes several improvements to Thunderbird’s performance, stability, and security. Thunderbird 3.0.11 was the last security and stability update for Thunderbird 3.0.x. Thunderbird 3.0.x users will be prompted and encouraged to start using Thunderbird 3.1," announced Mozilla Messaging’s Mark Banner.
Firefox 3.6.4 and Firefox 3.5.17 came accompanied by a grand total of 10 security advisories, out of which 1 was rated moderate, 1 was rated high, and 8 were rated critical. Thunderbird 3.1.8 didn’t come accompanied by so many security advisories as Firefox; it came accompanied by 3 security advisories, 1 rated moderate and 2 rated critical.
I’ve said it before and I am going to say it again. The critical rating is given to vulnerabilities that could be exploited by someone with malicious intent to run attacker code and install software on a targeted machine with no interaction from the user, beyond normal browsing of course.
If you’re interested to learn more about the advisories that accompany Thunderbird 3.1.8, here are the details Mozilla made public:
Title: MFSA 2011-01 Miscellaneous memory safety hazards (rv:1.9.2.14/ 1.9.1.17)
Rating: Critical.
Description: Several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Affected software: Firefox, Thunderbird, SeaMonkey.
Credit: Mozilla developers and community.
Title: MFSA 2011-09 Crash caused by corrupted JPEG image
Rating: Critical.
Description: A JPEG image could be constructed that would be decoded incorrectly, causing data to be written past the end of a buffer created to store the image. An attacker could potentially craft such an image that would cause malicious code to be stored in memory and then later executed on a victim's computer.
Affected software: Firefox, Thunderbird, SeaMonkey.
Credit: Jordi Chancel.
Title: MFSA 2011-08 ParanoidFragmentSink allows javascript: URLs in chrome
Rating: Moderate.
Description: ParanoidFragmentSink, a class used to sanitize potentially unsafe HTML for display, allows javascript: URLs and other inline JavaScript when the embedding document is a chrome document. While there are no unsafe uses of this class in any released products, extension code could have potentially used it in an unsafe manner.
Affected software: Firefox, Thunderbird, SeaMonkey.
Credit: Roberto Suggi Liverani.
