Thunderbird 3.0.2 Plugs Critical Security Holes
Mozilla’s email client has been updated to version 3.0.2 last week. If you’re currently riding the Thunderbird 3.0 train, you are well advised to upgrade. Thunderbird 3.0.2 comes with several fixes to IMAP, fixes some issues 2.0 users upgrading to version 3.0 were experiencing, and plugs some critical security holes.
Just to put things in perspective, Mozilla rates a vulnerability as critical only when a person with malicious intent can exploit it to run attacker code and install software on the targeted machine – with no user interaction whatsoever. Here are the security advisories related to the Thunderbird 3.0.2 update: Title: Use-after-free crash in HTML parser
Description: The HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called.
Credit: Alin Rad Pop of Secunia Research Title: Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)
Description: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Credit: Mozilla developers and community
The final version of Thunderbird 3.0 was released back in December. If you’re currently using an older Thunderbird version, you could use this occasion to upgrade. You will not regret it; Thunderbird 3.0 comes with the following:
Update 2 March 2010: Thunderbird 3.0.3 has been rolled out. The update comes with a “fix for missing folders or empty folder pane after updating to Thunderbird 3.0.2”.
Download the software here. Check out the release notes here.
Just to put things in perspective, Mozilla rates a vulnerability as critical only when a person with malicious intent can exploit it to run attacker code and install software on the targeted machine – with no user interaction whatsoever. Here are the security advisories related to the Thunderbird 3.0.2 update: Title: Use-after-free crash in HTML parser
Description: The HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text. These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called.
Credit: Alin Rad Pop of Secunia Research Title: Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)
Description: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
Credit: Mozilla developers and community
The final version of Thunderbird 3.0 was released back in December. If you’re currently using an older Thunderbird version, you could use this occasion to upgrade. You will not regret it; Thunderbird 3.0 comes with the following:
- - New Search with Advanced Filtering Tools
- - New Global Search Field with Autocomplete
- - New Mail Account Setup Wizard
- - Redesigned Mail Toolbar
- - Tabbed Email Messages
- - Smart Folders
- - New Message Summary View
- - Column Headings
- - Message Archive
- - Activity Manager
- - New Add-ons Manager
- - Improved Address Book
- - Improved Gmail Integration
- - Integrated with Vista search results (Windows version only)
- - Integrated with Spotlight (Mac OS X version only)
- - Thunderbird 3 can import from Mail.app, can read your OS X address book, and can use Growl for new mail alerts (Mac OS X version only)
- - IMAP Folder Synchronization
Update 2 March 2010: Thunderbird 3.0.3 has been rolled out. The update comes with a “fix for missing folders or empty folder pane after updating to Thunderbird 3.0.2”.
Download the software here. Check out the release notes here.
