Rapid7 Vulnerability & Exploit Database

CESA-2008:0105: RHSA-2008:0105

Back to Search

CESA-2008:0105: RHSA-2008:0105

Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
02/08/2008
Created
07/25/2018
Added
03/12/2010
Modified
08/29/2017

Description

Critical: thunderbird security updateMozilla Thunderbird is a standalone mail and newsgroup client.A heap-based buffer overflow flaw was found in the way Thunderbirdprocessed messages with external-body Multipurpose Internet MessageExtensions (MIME) types. A HTML mail message containing malicious contentcould cause Thunderbird to execute arbitrary code as the user runningThunderbird. (CVE-2008-0304)Several flaws were found in the way Thunderbird processed certain malformedHTML mail content. A HTML mail message containing malicious content couldcause Thunderbird to crash, or potentially execute arbitrary code as theuser running Thunderbird. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415,CVE-2008-0419)Several flaws were found in the way Thunderbird displayed malformed HTMLmail content. A HTML mail message containing specially-crafted contentcould trick a user into surrendering sensitive information. (CVE-2008-0420,CVE-2008-0591, CVE-2008-0593)A flaw was found in the way Thunderbird handles certain chrome URLs. If auser has certain extensions installed, it could allow a malicious HTML mailmessage to steal sensitive session data. Note: this flaw does not affect adefault installation of Thunderbird. (CVE-2008-0418)Note: JavaScript support is disabled by default in Thunderbird; the aboveissues are not exploitable unless JavaScript is enabled.A flaw was found in the way Thunderbird saves certain text files. If aremote site offers a file of type "plain/text", rather than "text/plain",Thunderbird will not show future "text/plain" content to the user, forcingthem to save those files locally to view the content. (CVE-2008-0592)Users of thunderbird are advised to upgrade to these updated packages,which contain backported patches to resolve these issues.

Solution(s)

  • centos-upgrade-thunderbird

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;