Mozilla on Wednesday updated its email client with the release of Thunderbird 2.0.0.19, which addresses seven flaws – most of which were also fixed in the Firefox browser update 3.0.5 earlier this month.
Five of the flaws were rated “moderate,” and two were rated “low,” out of Mozilla's four-tiered rating scale of critical, high, moderate and low.
Of the moderate bugs: A vulnerability titled “XSS and JavaScript privilege escalation” involves XBL binding, when attached to an unloaded document, can be used to violate the same-origin policy and execute arbitrary JavaScript within the context of a different website, according to Mozilla's release notes.
The vulnerability titled “cross-domain data theft via script redirect error message” could be used by a malicious website to steal private data from users who are authenticated on the redirected website. The vulnerability titled “XMLHttpRequest 302 response disclosure” could cause potentially sensitive data to be revealed, including URL parameters and content in the response body.
The vulnerability titled “information stealing via loadBindingDocument” could result in XBL bindings being used to read data from other domains, a violation of the same-origin policy, according to Mozilla's release notes. “Crashes with evidence of memory corruption” is the title of a vulnerability that involves stability bugs in the browser engine used in Firefox and other Mozilla-based products. Mozilla said that some of the crashes showed evidence of memory corruption, and it is presumed that some could be exploited to run arbitrary code.
Five of the flaws were rated “moderate,” and two were rated “low,” out of Mozilla's four-tiered rating scale of critical, high, moderate and low.
Of the moderate bugs: A vulnerability titled “XSS and JavaScript privilege escalation” involves XBL binding, when attached to an unloaded document, can be used to violate the same-origin policy and execute arbitrary JavaScript within the context of a different website, according to Mozilla's release notes.
The vulnerability titled “cross-domain data theft via script redirect error message” could be used by a malicious website to steal private data from users who are authenticated on the redirected website. The vulnerability titled “XMLHttpRequest 302 response disclosure” could cause potentially sensitive data to be revealed, including URL parameters and content in the response body.
The vulnerability titled “information stealing via loadBindingDocument” could result in XBL bindings being used to read data from other domains, a violation of the same-origin policy, according to Mozilla's release notes. “Crashes with evidence of memory corruption” is the title of a vulnerability that involves stability bugs in the browser engine used in Firefox and other Mozilla-based products. Mozilla said that some of the crashes showed evidence of memory corruption, and it is presumed that some could be exploited to run arbitrary code.
