|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=668
|
| |
Vulnerable Systems:
* Thunderbird version 2.0.0.9
Immune Systems:
* Thunderbird version 2.0.0.12
The vulnerability exists when parsing the external-body MIME type in an electronic mail. When calculating the number of bytes to allocate for a heap buffer, sufficient space is not reserved for all of the data being copied into the buffer. This results in up to 3 bytes of the buffer being overflowed, potentially allowing for the execution of arbitrary code.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running Thunderbird. Exploitation requires that an attacker social engineers a user into viewing a malicious message in Thunderbird. If the 'View->Message Pane' option is turned on (the "Preview" pane), which is the default, then all a targeted user has to do is select the message in the browsing pane. Once the message is previewed, the vulnerability will be triggered.
Workaround:
Setting the "mailnews.display.disallow_mime_handlers" configuration property to any value >= 3 will prevent the vulnerable code from being triggered.
Vendor response:
The Mozilla Foundation has addressed this vulnerability by releasing version 2.0.0.12 of Thunderbird. For more information, refer to their advisory at the following URL: http://www.mozilla.org/security/announce/2008/mfsa2008-12.html
CVE Information:
CVE-2008-0304
Disclosure Timeline:
01/14/2008 - Initial vendor notification
01/14/2008 - Initial vendor response
02/26/2008 - Coordinated public disclosure
|
|
|
|
|
