Beschreibung
Multiple serious vulnerabilities have been found in Mozilla Thunderbird. Malicious users can exploit these vulnerabilities to obtain sensitive information, run arbitrary code, cause a denial of service, spoof user interface and gain privilege escalation.
Below is a complete list of vulnerabilities
- Memory corruption vulnerability in JIT code allocation can be exploited remotely to bypass ASLR and DEP protections and cause a denial of service as a result;
- Use-after-free vulnerability can be exploited remotely while manipulating XSL in XSLT documents;
- Incorrect handling of sharing hash codes between pages in java script vulnerability can be exploited remotely to cause a denial of service;
- Use-after-free vulnerability can be exploited remotely via fuzzing during DOM manipulation of SVG content;
- Insecure methods in the Json Viewer in the Developer Tools can be exploited remotely to allow a potential privilege escalation;
- Use-after-free vulnerability in the Media Decoder can be exploited remotely to obtain sensitive information;
- Improper handling of some Unicode characters in URLs can be exploited remotely to allow spoofing of domain names in the location bar;
- Memory corruption vulnerability can be exploited remotely to run arbitrary code;
Technical details
Vulnerability (5) can be caused by using insecure methods of creating a communication channel for copying and viewing JSON or HTTP headers data.
NB: This vulnerabilities have no public CVSS rating so rating can be changed by the time.
NB: At this moment Mozilla just reserved CVE numbers for this vulnerabilities. Information can be changed soon.
Ursprüngliche Informationshinweise
CVE Liste
- CVE-2017-5375 critical
- CVE-2017-5376 critical
- CVE-2017-5378 critical
- CVE-2017-5380 critical
- CVE-2017-5390 critical
- CVE-2017-5396 critical
- CVE-2017-5383 critical
- CVE-2017-5373 critical
Mehr erfahren
Informieren Sie sich über die Statistiken der in Ihrer Region verbreiteten Sicherheitslücken statistics.securelist.com