Multiple serious vulnerabilities have been found in Mozilla Thunderbird. Malicious users can exploit these vulnerabilities to obtain sensitive information, run arbitrary code and cause a denial of service.

Below is a complete list of vulnerabilities

1. Memory curruption vulnerability in asm.js can be exploited remotely to bypass of ASLR and DEP protections leading to a denial of service;
2. Memory corruption vulnerability in triggerable web content can be exploited remotely to cause a denial of service;
3. Use-after-free vulnerability, which can occur when events are fired, after their destroying in the FontFace objects can be exploited remotely to cause a denial of service;
4. Use-after-free vulnerability, which can occur when manipulating ranges in selections can be exploited remotely to cause a denial of service;
5. Pixel and history stealing vulnerability in the SVG filters can be exploited remotely to obtain sensitive information;
6. Memory corrpution vulnerability in the JavaScript garbage collection can be exploited remotely to cause a denial of service;
7. Cross-origin reading vulnerability in the CORS can be exploited remotely to obtain sensitive information;
8. Usage of uninitialized values for ports in FTP connections can be exploited remotely to cause a denial of service;
9. Memory corruption vulnerability can be exploited remotely to run arbitrary code.

NB: This vulnerability have no public CVSS rating so rating can be changed by the time.

NB: At this moment Mozilla just reserved CVE numbers for this vulnerabilities. Information can be changed soon.

Mozilla Thunderbird versions earlier than 45.8.0

Update to latest version
Mozilla Thunderbird

MFSA 2017-07