KLA10970
Multiple vulnerabilities in Mozilla Thunderbird

Multiple serious vulnerabilities have been found in Mozilla Thunderbird. Malicious users can exploit these vulnerabilities to obtain sensitive information, run arbitrary code and cause a denial of service.

Below is a complete list of vulnerabilities

1. Memory curruption vulnerability in asm.js can be exploited remotely to bypass of ASLR and DEP protections leading to a denial of service;
2. Memory corruption vulnerability in triggerable web content can be exploited remotely to cause a denial of service;
3. Use-after-free vulnerability, which can occur when events are fired, after their destroying in the FontFace objects can be exploited remotely to cause a denial of service;
4. Use-after-free vulnerability, which can occur when manipulating ranges in selections can be exploited remotely to cause a denial of service;
5. Pixel and history stealing vulnerability in the SVG filters can be exploited remotely to obtain sensitive information;
6. Memory corrpution vulnerability in the JavaScript garbage collection can be exploited remotely to cause a denial of service;
7. Cross-origin reading vulnerability in the CORS can be exploited remotely to obtain sensitive information;
8. Usage of uninitialized values for ports in FTP connections can be exploited remotely to cause a denial of service;
9. Memory corruption vulnerability can be exploited remotely to run arbitrary code.

NB: This vulnerability have no public CVSS rating so rating can be changed by the time.

NB: At this moment Mozilla just reserved CVE numbers for this vulnerabilities. Information can be changed soon.

Mozilla Thunderbird versions earlier than 45.8.0

Update to latest version
Mozilla Thunderbird

The following public exploits exists for this vulnerability:

https://www.exploit-db.com/exploits/41660