Multiple serious vulnerabilities have been found in Mozilla Thunderbird. Malicious users can exploit these vulnerabilities to obtain sensitive information, run arbitrary code, cause a denial of service, spoof user interface and gain privilege escalation.

Below is a complete list of vulnerabilities

1. Memory corruption vulnerability in JIT code allocation can be exploited remotely to bypass ASLR and DEP protections and cause a denial of service as a result;
2. Use-after-free vulnerability can be exploited remotely while manipulating XSL in XSLT documents;
3. Incorrect handling of sharing hash codes between pages in java script vulnerability can be exploited remotely to cause a denial of service;
4. Use-after-free vulnerability can be exploited remotely via fuzzing during DOM manipulation of SVG content;
5. Insecure methods in the Json Viewer in the Developer Tools can be exploited remotely to allow a potential privilege escalation;
6. Use-after-free vulnerability in the Media Decoder can be exploited remotely to obtain sensitive information;
7. Improper handling of some Unicode characters in URLs can be exploited remotely to allow spoofing of domain names in the location bar;
8. Memory corruption vulnerability can be exploited remotely to run arbitrary code;

Technical details

Vulnerability (5) can be caused by using insecure methods of creating a communication channel for copying and viewing JSON or HTTP headers data.

NB: This vulnerabilities have no public CVSS rating so rating can be changed by the time.

NB: At this moment Mozilla just reserved CVE numbers for this vulnerabilities. Information can be changed soon.

Mozilla Thunderbird versions earlier than 45.7

Update to the latest version
Mozilla Thunderbird

MFSA