TITLE: Thunderbird Multiple Vulnerabilities

SECUNIA ADVISORY ID: SA20382

VERIFY ADVISORY: http://secunia.com/advisories/20382/

CRITICAL: Highly critical

IMPACT: Security Bypass, Cross Site Scripting, System access

WHERE: >From remote

SOFTWARE:
Mozilla Thunderbird 0.x
http://secunia.com/product/2637/
Mozilla Thunderbird 1.0.x
http://secunia.com/product/9735/
Mozilla Thunderbird 1.5.x
http://secunia.com/product/4652/

DESCRIPTION: Multiple vulnerabilities have been reported in Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, and potentially compromise a user's system. For more information, see vulnerabilities #1, #2, #3, #5, #6, #7, and #9 in: SA20376. Successful exploitation of some of the vulnerabilities requires that JavaScript is enabled (not enabled by default).

The following vulnerability has also been reported: The vulnerability is caused due to a double-free error within the processing of large VCards with invalid base64 characters. This may be exploited to execute arbitrary code.

SOLUTION: Update to version 1.5.0.4.
http://www.mozilla.com/thunderbird/

PROVIDED AND/OR DISCOVERED BY: Masatoshi Kimura

ORIGINAL ADVISORY: http://www.mozilla.org/security/announce/2006/mfsa2006-40.html

OTHER REFERENCES: SA20376: http://secunia.com/advisories/20376/