Multiple Vulnerabilities in Mozilla Thunderbird Could Allow for Arbitrary Code Execution
MS-ISAC ADVISORY NUMBER:2017-058
Multiple vulnerabilities have been identified in Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Thunderbird is an email client. Successful exploitation may allow an attacker to execute arbitrary remote code in the context of the user running the affected application. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
There are currently no reports of these vulnerabilities being exploited in the wild.
- Large and medium government entities: HIGH
- Small government entities: MEDIUM
- Large and medium business entities: HIGH
- Small business entities: MEDIUM
Mozilla has confirmed the following vulnerabilities in Thunderbird:
- A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists results in a potentially exploitable crash. (CVE-2017-5472).
- A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell results in a potentially exploitable crash (CVE-2017-7749).
- A use-after-free vulnerability during video control operations when a track element holds a reference to an older window if that window has been replaced in the DOM results in a potentially exploitable crash (CVE-2017-7750).
- A use-after-free vulnerability with content viewer listeners results in a potentially exploitable crash (CVE-2017-7751)
- A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled results in a potentially exploitable crash but requires specific user interaction to trigger (CVE-2017-7752).
- An out-of-bounds read vulnerability in WebGL using a maliciously crafted ImageInfo object during WebGL operations (CVE-2017-7754).
- A use-after-free and use-after-scope vulnerability when logging errors from headers for XML HTTP Requests (XHR) could result in a potentially exploitable crash (CVE-2017-7756).
- A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed results in a potentially exploitable crash (CVE-2017-7757).
- A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory (CVE-2017-7778).
- An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use (CVE-2017-7758).
- A domain name spoofing attack, only affecting OS X operating systems, when Mac fonts render some Unicode characters as spaces (CVE-2017-7763).
- A domain name spoofing attack through character confusion when characters from the "Canadian Syllabics" unicode block are be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" (CVE-2017-7764).
- A “Mark of the Web” bypass vulnerability when saving executable files (CVE-2017-7765).
- Memory safety bugs that could be exploited to run arbitrary code (CVE-2017-5470).
The most severe vulnerability may allow an attacker to execute arbitrary code in the context of the running affected application or result in denial-of-service conditions. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data, or create new accounts with full user rights.
We recommend the following actions be taken:
- Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
- Apply the Principle of Least Privilege to all systems and services.