Code Execution Flaw Haunts Mozilla Thunderbird

A new version of the open-source Mozilla Thunderbird mail client has been released to fix at least six security vulnerabilities that could expose users to PC takeover attacks. The most serious of the six vulnerabilities, a “critical” heap buffer overflow in external MIME bodies, could allow an attacker to execute arbitrary code with the privileges […]

Share online:

A new version of the open-source Mozilla Thunderbird mail client has been released to fix at least six security vulnerabilities that could expose users to PC takeover attacks. The most serious of the six vulnerabilities, a “critical” heap buffer overflow in external MIME bodies, could allow an attacker to execute arbitrary code with the privileges of the current user.

“When calculating the number of bytes to allocate for a heap buffer, sufficient space is not reserved for all of the data being copied into the buffer. This results in up to three bytes of the buffer being overflowed, potentially allowing for the execution of arbitrary code, according to an alert from iDefense, the company that reported the flaw to Mozilla.

Exploitation requires that an attacker social engineer a user into viewing a malicious message in Thunderbird. If the “View->Message Pane” option is turned on (in the “Preview” pane), which is the default, then all a targeted user has to do is select the message in the browsing pane. Once the message is previewed, the vulnerability will be triggered, iDefense warned. The flaw affects both Linux and Windows users.

Source:→ eWeek

Mozilla, Thunderbird, Email Client, Open-Source, Open Source, Vulnerability, Hotfix, Security Update, Code Execution, Flaw

About The Author

Deepak Gupta is a IT & Web Consultant. He is the founder and CEO of diTii.com & DIT Technologies, where he's engaged in providing Technology Consultancy, Design and Development of Desktop, Web and Mobile applications using various tools and softwares. Sign-up for the Email for daily updates. Google+ Profile.