Many of the issues listed below are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may also enable such issues to be exploited.
Impact: Critical
Description: Mozilla developers and community
members identified and fixed several memory safety bugs in the browser engine
used in Thunderbird 3.1 and other Mozilla-based products. Some of these bugs showed
evidence of memory corruption under certain circumstances, and we presume that
with enough effort at least some of these could be exploited to run arbitrary
code.
References:
Gary Kwong, Igor Bukanov, Nils and Bob Clary reported memory safety issues which affected Thunderbird 3.1.
Impact: Critical
Description: Security
researcher regenrecht reported via TippingPoint's Zero Day
Initiative that a SVG text manipulation routine contained a dangling pointer
vulnerability.
References:
Impact: Critical
Description: Mozilla security
researcher moz_bug_r_a_4 reported a vulnerability in event
management code that would permit JavaScript to be run in the wrong context,
including that of a different website or potentially in a chrome-privileged
context.
References:
Impact: Critical
Description: Security
researcher regenrecht reported via TippingPoint's Zero Day
Initiative that appendChild
did not correctly account for DOM
objects it operated upon and could be exploited to dereference an invalid
pointer.
References:
Impact: Critical
Description: Mozilla security
researcher moz_bug_r_a4 reported that web content could receive
chrome privileges if it registered for drop events and a browser tab element was
dropped into the content area.
References:
Impact: High
Description: Security researcher Mitja
Kolsek of Acros Security reported
that ThinkPadSensor::Startup
could potentially be exploited to load
a malicious DLL into the running process.
References:
Impact: High
Description: Security
researcher shutdown reported that data from other domains could
be read when RegExp.input
was set.
References: