Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability
27 Feb. 2008
Mozilla Thunderbird is "an open source electronic mail client and news reader. Multipurpose Internet Message Extensions (MIME) is a standard that defines how non-text attachments and other data are handled in electronic mail. The external-body MIME type is used for retrieving a resource that is referenced in the message, such as an attachment". Remote exploitation of a heap based buffer overflow vulnerability in Mozilla Organization's Thunderbird could allow an attacker to execute arbitrary code with the privileges of the current user.
The vulnerability exists when parsing the external-body MIME type in an electronic mail. When calculating the number of bytes to allocate for a heap buffer, sufficient space is not reserved for all of the data being copied into the buffer. This results in up to 3 bytes of the buffer being overflowed, potentially allowing for the execution of arbitrary code.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user running Thunderbird. Exploitation requires that an attacker social engineers a user into viewing a malicious message in Thunderbird. If the 'View->Message Pane' option is turned on (the "Preview" pane), which is the default, then all a targeted user has to do is select the message in the browsing pane. Once the message is previewed, the vulnerability will be triggered.
Setting the "mailnews.display.disallow_mime_handlers" configuration property to any value >= 3 will prevent the vulnerable code from being triggered.