PROBLEM:
A weakness and multiple vulnerabilities have been reported in Mozilla Thunderbird and SeaMonkey
PLATFORM:
The vulnerabilities are reported in Thunderbird versions prior to 17.0.3 and SeaMonkey versions prior to 2.16.
ABSTRACT:
A weakness and multiple vulnerabilities have been reported in Mozilla Thunderbird and SeaMonkey, which can be exploited by malicious people to disclose potentially sensitive information, conduct spoofing attacks, bypass certain security restrictions, and compromise a user's system.
REFERENCE LINKS:
Secunia Advisory SA52280
Mozilla Security Advisory 2013-21
CVE-2013-0765
CVE-2013-0772
CVE-2013-0773
CVE-2013-0774
CVE-2013-0775
CVE-2013-0776
CVE-2013-0777
CVE-2013-0778
CVE-2013-0779
CVE-2013-0780
CVE-2013-0781
CVE-2013-0782
CVE-2013-0783
CVE-2013-0784
IMPACT ASSESSMENT:
High
DISCUSSION:
An out-of-bounds read can be triggered in mozilla::image::RasterImage::DrawFrameTo() when rendering GIF images to potentially access potentially sensitive data that is ostensibly inaccesible.
A WebIDL object can be wrapped multiple times to overwrite the existing wrapped state and potentially execute arbitrary code.
Some protections in Chrome Object Wrappers (COW) and System Only Wrappers (SOW) can be bypassed to obtain information from chrome objects and possibly execute arbitrary code.
IMPACT:
A remote user can create a specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
A remote user can determine the file system location of the active browser profile.
A remote proxy server can return a 407 response. When the user cancels the proxy's authentication prompt, the addressbar will continue to show the requested HTTPS URL.
SOLUTION:
Update to current versions of Thunderbird and Seamonkey