| Description: | Mozilla Thunderbird is a standalone mail and newsgroup client.
Several flaws were found in the way Thunderbird processes certain malformed Javascript code. A malicious HTML mail message could cause the execution of Javascript code in such a way that could cause Thunderbird to crash or execute arbitrary code as the user running Thunderbird. (CVE-2006-5463, CVE-2006-5747, CVE-2006-5748)
Several flaws were found in the way Thunderbird renders HTML mail messages. A malicious HTML mail message could cause the mail client to crash or possibly execute arbitrary code as the user running Thunderbird. (CVE-2006-5464)
A flaw was found in the way Thunderbird verifies RSA signatures. For RSA keys with exponent 3 it is possible for an attacker to forge a signature that would be incorrectly verified by the NSS library. Thunderbird as shipped trusts several root Certificate Authorities that use exponent 3. An attacker could have created a carefully crafted SSL certificate which would be incorrectly trusted when their site was visited by a victim. This flaw was previously thought to be fixed in Thunderbird 1.5.0.7, however Ulrich Kuehn discovered the fix was incomplete (CVE-2006-5462)
Users of Thunderbird are advised to upgrade to this update, which contains Thunderbird version 1.5.0.8 that corrects these issues.
|