Mozilla Foundation Security Advisory 2007-40

Upgraded Thunderbird 1.5.0.13 missing fix for MFSA 2007-23

Announced

December 19, 2007

Reporter

Stephen Donner

Impact

Critical

Products

Thunderbird

Fixed in

Thunderbird 1.5.0.14

Description

Mozilla tester Stephen Donner reported that only users who installed Thunderbird 1.5.0.13 using the install package received the fix for MFSA 2007-23. Users who upgraded to Thunderbird 1.5.0.13 from an earlier version using the automatic update mechanism were not protected. If those users browsed the internet using Internet Explorer or another similarly affected program and clicked on a malicious mailto: link the attacker could potentially execute arbitrary code.

Workaround

Mozilla highly recommends using Firefox to browse the web to prevent attackers from exploiting this problem in Internet Explorer.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=393823
CVE-2007-3670

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice