Mozilla Upgrades Thunderbird to Fix Six Bugs

Mozilla has recently launched a new edition of its e-mail client, Thunderbird, patching six flaws. The arrival of the update follows the introduction of Mozilla Messaging, the new mail subsidiary of Mozilla Foundation, a non-profit organization.

One of the vulnerabilities that Mozilla rated as critical was actually the discovery of iDefense, a research firm. IDefense found a 'heap-based buffer overflow' flaw in Mozilla Mail code, which, on exploitation, could let an attacker execute arbitrary code.

Mozilla found that the problem is caused because of an error in the way external-body MIME types are handled. By mailing a crafty message, the attacker could initiate a buffer overflow fault, leaving the potential victim vulnerable to remote launch and installation of malware. If the exploitation is successful, it might allow running an arbitrary code.

Patch for the vulnerability in SeaMonkey 1.1.8 and Thunderbird 2.0.0.12 has been released. The US CERT (Computer Emergency Response Team) suggested that users should adopt both the applications' recent versions. The flaws fixed are reported to affect both Linux and Windows software.

According to iDefense, installation of arbitrary code is with user privileges of Thunderbird. It also says through an advisory that the attacker simply needs to use social engineering to make the user open a malicious e-mail so that the attack works. Basically, the attack requires the user to have his Thunderbird's default preview pane feature turned on.

Apart from the critical fix, Mozilla also offered fixes for other five bugs as well. The company maintains that these patches are to protect against directory traversal, information disclosure, cross-site scripting, privilege escalation, and arbitrary code installation.

As already mentioned, the update follows directly after the announcement of Mozilla Messaging, which initially focused on the designing of Thunderbird 3. The latter will deliver better search capabilities, integrated calendaring and general enhancements to its overall adoption by the subscriber.

Besides, as the acceptance of Mozilla grows, attackers are also increasingly drawn towards it. In related news, a patch for Mozilla's add-on vulnerability that was recognized in January 2008 also comes from the company's security team.

Related article: Mozilla Rules Out Bug in Its Firefox

» SPAMfighter News - 3/4/2008