Multiple Vulnerabilities in Mozilla Thunderbird Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-060
Date(s) Issued: 
Friday, June 16, 2017
Subject: 
Multiple Vulnerabilities in Mozilla Thunderbird Could Allow for Arbitrary Code Execution
Overview: 

Multiple vulnerabilities have been identified in Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Thunderbird is an email client. Successful exploitation may allow an attacker to execute arbitrary remote code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Thunderbird versions prior to 52.2
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Mozilla has confirmed the following vulnerabilities in Thunderbird:

  • A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists results in a potentially exploitable crash. (CVE-2017-5472).
  • A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell results in a potentially exploitable crash (CVE-2017-7749).
  • A use-after-free vulnerability during video control operations when a <track> element holds a reference to an older window if that window has been replaced in the DOM results in a potentially exploitable crash (CVE-2017-7750).
  • A use-after-free vulnerability with content viewer listeners results in a potentially exploitable crash (CVE-2017-7751).
  • A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled results in a potentially exploitable crash but requires specific user interaction to trigger (CVE-2017-7752).
  • An out-of-bounds read vulnerability in WebGL using a maliciously crafted ImageInfo object during WebGL operations (CVE-2017-7754).
  • A use-after-free and use-after-scope vulnerability when logging errors from headers for XML HTTP Requests (XHR) could result in a potentially exploitable crash (CVE-2017-7756).
  • A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed results in a potentially exploitable crash (CVE-2017-7757).
  • A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory (CVE-2017-7778).
  • An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use (CVE-2017-7758).
  • A domain name spoofing attack, only affecting OS X operating systems, when Mac fonts render some Unicode characters as spaces (CVE-2017-7763).
  • A domain name spoofing attack through character confusion when characters from the "Canadian Syllabics" unicode block are be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" (CVE-2017-7764).
  • A "Mark of the Web" bypass vulnerability when saving executable files (CVE-2017-7765).
  • Memory safety bugs that could be exploited to run arbitrary code (CVE-2017-5470).

The most severe vulnerability may allow an attacker to execute arbitrary code in the context of the running affected application or result in denial-of-service conditions. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data, or create new accounts with full user rights.

Actions: 
  • After appropriate testing, immediately apply updates provided by Mozilla to vulnerable systems.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.