Mozilla Thunderbird < 52.2 Multiple Vulnerabilities

critical Nessus Plugin ID 101772

Synopsis

The remote Windows host contains a mail client that is affected by multiple vulnerabilities.

Description

The version of Mozilla Thunderbird installed on the remote Windows host is prior to 52.2 It is, therefore, affected by multiple vulnerabilities :

- Multiple memory corruption issues exist that allow an unauthenticated, remote attacker to execute arbitrary code by convincing a user to visit a specially crafted website. (CVE-2017-5470)

- A use-after-free error exists in the EndUpdate() function in nsCSSFrameConstructor.cpp that is triggered when reconstructing trees during regeneration of CSS layouts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-5472)

- A use-after-free error exists in the Reload() function in nsDocShell.cpp that is triggered when using an incorrect URL during the reload of a docshell. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7749)

- A use-after-free error exists in the Hide() function in nsDocumentViewer.cpp that is triggered when handling track elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7750)

- A use-after-free error exists in the nsDocumentViewer class in nsDocumentViewer.cpp that is triggered when handling content viewer listeners. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.
(CVE-2017-7751)

- A use-after-free error exists that is triggered when handling events while specific user interaction occurs with the input method editor (IME). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.
(CVE-2017-7752)

- An out-of-bounds read error exists in the IsComplete() function in WebGLTexture.cpp that is triggered when handling textures. An unauthenticated, remote attacker can exploit this to disclose memory contents.
(CVE-2017-7754)

- A privilege escalation vulnerability exists due to improper loading of dynamic-link library (DLL) files. A local attacker can exploit this, via a specially crafted DLL file in the installation path, to inject and execute arbitrary code. (CVE-2017-7755)

- A use-after-free error exists in the SetRequestHead() function in XMLHttpRequestMainThread.cpp that is triggered when logging XML HTTP Requests (XHR). An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7756)

- A use-after-free error exists in ActorsParent.cpp due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7757)

- An out-of-bounds read error exists in the AppendAudioSegment() function in TrackEncoder.cpp that is triggered when the number of channels in an audio stream changes while the Opus encoder is in use. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-7758)

- A flaw exists in the isLabelSafe() function in nsIDNService.cpp that is triggered when handling characters from different unicode blocks. An unauthenticated, remote attacker can exploit this, via a specially crafted IDN domain, to spoof a valid URL and conduct phishing attacks. (CVE-2017-7764)

- A flaw exists that is triggered due to improper parsing of long filenames when handling downloaded files. An unauthenticated, remote attacker can exploit this to cause a file to be downloaded without the 'mark-of-the-web' applied, resulting in security warnings for executables not being displayed.
(CVE-2017-7765)

- An out-of-bounds read error exists in the Graphite component in the readPass() function in Pass.cpp. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2017-7771)

- Multiple integer overflow conditions exist in the Graphite component in the decompress() function in Decompressor.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7772, CVE-2017-7773, CVE-2017-7778)

- An out-of-bounds read error exists in the Graphite component in the readGraphite() function in Silf.cpp. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2017-7774)

- An out-of-bounds read error exists in the Graphite component in getClassGlyph() function in Silf.cpp due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-7776)

- A flaw exists in the Graphite component in the read_glyph() function in GlyphCache.cpp related to use of uninitialized memory. An unauthenticated, remote attacker can exploit this to have an unspecified impact.
(CVE-2017-7777)

Solution

Upgrade to Mozilla Thunderbird version 52.2 or later.

See Also

https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/

https://bugzilla.mozilla.org/show_bug.cgi?id=1365602

https://bugzilla.mozilla.org/show_bug.cgi?id=1355039

https://bugzilla.mozilla.org/show_bug.cgi?id=1356558

https://bugzilla.mozilla.org/show_bug.cgi?id=1363396

https://bugzilla.mozilla.org/show_bug.cgi?id=1361326

https://bugzilla.mozilla.org/show_bug.cgi?id=1359547

https://bugzilla.mozilla.org/show_bug.cgi?id=1357090

https://bugzilla.mozilla.org/show_bug.cgi?id=1366595

https://bugzilla.mozilla.org/show_bug.cgi?id=1356824

https://bugzilla.mozilla.org/show_bug.cgi?id=1368490

https://bugzilla.mozilla.org/show_bug.cgi?id=1360309

https://bugzilla.mozilla.org/show_bug.cgi?id=1364283

https://bugzilla.mozilla.org/show_bug.cgi?id=1273265

Plugin Details

Severity: Critical

ID: 101772

File Name: mozilla_thunderbird_52_2.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 7/17/2017

Updated: 1/16/2024

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-7778

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:thunderbird

Required KB Items: Mozilla/Thunderbird/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 6/14/2017

Vulnerability Publication Date: 6/14/2017

Reference Information

CVE: CVE-2017-5470, CVE-2017-5472, CVE-2017-7749, CVE-2017-7750, CVE-2017-7751, CVE-2017-7752, CVE-2017-7754, CVE-2017-7755, CVE-2017-7756, CVE-2017-7757, CVE-2017-7758, CVE-2017-7764, CVE-2017-7765, CVE-2017-7771, CVE-2017-7772, CVE-2017-7773, CVE-2017-7774, CVE-2017-7776, CVE-2017-7777, CVE-2017-7778

BID: 99041

MFSA: 2017-17