Rapid7 Vulnerability & Exploit Database

RHSA-2012:0388: thunderbird security update

Back to Search

RHSA-2012:0388: thunderbird security update



Mozilla Thunderbird is a standalone mail and newsgroup client.Several flaws were found in the processing of malformed content. Maliciouscontent could cause Thunderbird to crash or, potentially, execute arbitrarycode with the privileges of the user running Thunderbird. (CVE-2012-0461,CVE-2012-0462, CVE-2012-0464)Two flaws were found in the way Thunderbird parsed certain Scalable VectorGraphics (SVG) image files. An HTML mail message containing a malicious SVGimage file could cause an information leak, or cause Thunderbird to crashor, potentially, execute arbitrary code with the privileges of the userrunning Thunderbird. (CVE-2012-0456, CVE-2012-0457)A flaw could allow malicious content to bypass intended restrictions,possibly leading to a cross-site scripting (XSS) attack if a user weretricked into dropping a "javascript:" link onto a frame. (CVE-2012-0455)It was found that the home page could be set to a "javascript:" link. If auser were tricked into setting such a home page by dragging a link to thehome button, it could cause Firefox to repeatedly crash, eventually leadingto arbitrary code execution with the privileges of the user runningFirefox. A similar flaw was found and fixed in Thunderbird. (CVE-2012-0458)A flaw was found in the way Thunderbird parsed certain, remote contentcontaining "cssText". Malicious, remote content could cause Thunderbird tocrash or, potentially, execute arbitrary code with the privileges of theuser running Thunderbird. (CVE-2012-0459)It was found that by using the DOM fullscreen API, untrusted content couldbypass the mozRequestFullscreen security protections. Malicious contentcould exploit this API flaw to cause user interface spoofing.(CVE-2012-0460)A flaw was found in the way Thunderbird handled content with multipleContent Security Policy (CSP) headers. This could lead to a cross-sitescripting attack if used in conjunction with a website that has a headerinjection flaw. (CVE-2012-0451)Note: All issues except CVE-2012-0456 and CVE-2012-0457 cannot be exploitedby a specially-crafted HTML mail message as JavaScript is disabled bydefault for mail messages. It could be exploited another way inThunderbird, for example, when viewing the full remote content of an RSSfeed.All Thunderbird users should upgrade to this updated package, whichcontains Thunderbird version 10.0.3 ESR, which corrects these issues. Afterinstalling the update, Thunderbird must be restarted for the changes totake effect.


  • redhat-upgrade-thunderbird
  • redhat-upgrade-thunderbird-debuginfo

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center