Thunderbird is out

Published: 2008-02-27
Last Updated: 2008-03-02 20:24:22 UTC
by Raul Siles (Version: 2)
0 comment(s)

A new Thunderbird version,, has been released. This version fixes four (4) known vulnerabilities: 1 critical, 2 high and 1 moderate.

MFSA 2008-12 Heap buffer overflow in external MIME bodies
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-01 Crashes with evidence of memory corruption (rv:

We were told by the security people at Mozilla a couple of weeks ago, when Firefox was released, that this Thunderbird version contains security fixes that will never be fixed in a 1.5 version. So, if you're still running Thunderbird 1.X, it is time to update!

Thanks Jason for the heads up.

Updated 2008-03-02 -  Mozilla recently updated their webpage concerning MFS2008-07.  Thunderbird  was incorrectly noted as being vulnerable but lacks the <canvas>  functionality  necessary to read sensitive data from memory.   As such only 4 known vulnerabilities were fixed in this version.  For more information on the flaw and the updated vendor advisory, please see the following:

MFSA 2008-07 Possible information disclosure in BMP decoder

Raul Siles


0 comment(s)


Diary Archives