Mozilla on Wednesday updated its email client with the release of Thunderbird 184.108.40.206, which addresses seven flaws – most of which were also fixed in the Firefox browser update 3.0.5
earlier this month.
Five of the flaws were rated “moderate,” and two were rated “low,” out of Mozilla's four-tiered rating scale of critical, high, moderate and low.
The vulnerability titled “cross-domain data theft via script redirect error message” could be used by a malicious website to steal private data from users who are authenticated on the redirected website. The vulnerability titled “XMLHttpRequest 302 response disclosure” could cause potentially sensitive data to be revealed, including URL parameters and content in the response body.
The vulnerability titled “information stealing via loadBindingDocument” could result in XBL bindings being used to read data from other domains, a violation of the same-origin policy, according to Mozilla's release notes. “Crashes with evidence of memory corruption” is the title of a vulnerability that involves stability bugs in the browser engine used in Firefox and other Mozilla-based products. Mozilla said that some of the crashes showed evidence of memory corruption, and it is presumed that some could be exploited to run arbitrary code.