Security Advisories for Thunderbird 1.5

Thunderbird 1.5 is unsupported. Please upgrade to the latest version.

Impact key

• Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
• High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
• Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
• Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

# Fixed in Thunderbird 1.5.0.14

• 2007-40 Upgraded Thunderbird 1.5.0.13 missing fix for MFSA 2007-23
• 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)

# Fixed in Thunderbird 1.5.0.13

• 2007-27 Unescaped URIs passed to external programs
• 2007-26 Privilege escalation through chrome-loaded about:blank windows
• 2007-23 Remote code execution by launching Firefox from Internet Explorer
• 2007-18 Crashes with evidence of memory corruption (rv:1.8.1.5)

# Fixed in Thunderbird 1.5.0.12

• 2007-15 Security Vulnerability in APOP Authentication
• 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)

# Fixed in Thunderbird 1.5.0.10

• 2007-10 Potential integer overflow with text/enhanced mail
• 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflows
• 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)

# Fixed in Thunderbird 1.5.0.9

• 2006-74 Mail header processing heap overflows
• 2006-72 XSS by setting img.src to javascript: URI
• 2006-71 LiveConnect crash finalizing JS objects
• 2006-70 Privilege escalation using watch point
• 2006-69 CSS cursor image buffer overflow (Windows only)
• 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

# Fixed in Thunderbird 1.5.0.8

• 2006-67 Running Script can be recompiled
• 2006-66 RSA Signature Forgery (variant)
• 2006-65 Crashes with evidence of memory corruption (rv:1.8.0.8)

# Fixed in Thunderbird 1.5.0.7

• 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
• 2006-63 JavaScript execution in mail via XBL
• 2006-60 RSA Signature Forgery
• 2006-59 Concurrency-related vulnerability
• 2006-58 Auto-update compromise through DNS and SSL spoofing
• 2006-57 JavaScript Regular Expression Heap Corruption

# Fixed in Thunderbird 1.5.0.5

• 2006-56 chrome: scheme loading remote content
• 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
• 2006-54 XSS with XPCNativeWrapper(window).Function(...)
• 2006-53 UniversalBrowserRead privilege escalation
• 2006-51 Privilege escalation using named-functions and redefined "new Object()"
• 2006-50 JavaScript engine vulnerabilities
• 2006-49 Heap buffer overwrite on malformed VCard
• 2006-48 JavaScript new Function race condition
• 2006-47 Native DOM methods can be hijacked across domains
• 2006-46 Memory corruption with simultaneous events

# Fixed in Thunderbird 1.5.0.4

• 2006-42 Web site XSS using BOM on UTF-8 pages
• 2006-40 Double-free on malformed VCard
• 2006-38 Buffer overflow in crypto.signText()
• 2006-37 Remote compromise via content-defined setter on object prototypes
• 2006-35 Privilege escalation through XUL persist.
• 2006-33 HTTP response smuggling
• 2006-32 Fixes for crashes with potential memory corruption (rv:1.8.0.4)
• 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)

# Fixed in Thunderbird 1.5.0.2

• 2006-28 Security check of js_ValueToFunctionObject() can be circumvented
• 2006-27 Table Rebuilding Code Execution Vulnerability
• 2006-26 Mail Multiple Information Disclosure
• 2006-25 Privilege escalation through Print Preview
• 2006-24 Privilege escalation using crypto.generateCRMFRequest
• 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
• 2006-21 JavaScript execution in mail when forwarding in-line
• 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
• 2006-08 "AnyName" entrainment and access control hazard
• 2006-07 Read beyond buffer while parsing XML
• 2006-06 Integer overflows in E4X, SVG, and Canvas
• 2006-05 Localstore.rdf XML injection through XULDocument.persist()
• 2006-04 Memory corruption via QueryInterface on Location, Navigator objects
• 2006-02 Changing position:relative to static corrupts memory
• 2006-01 JavaScript garbage-collection hazards

# Fixed in Thunderbird 1.5

• 2006-19 Cross-site scripting using .valueOf.call()
• 2006-18 Mozilla Firefox Tag Order Vulnerability
• 2006-17 cross-site scripting through window.controllers
• 2006-16 Accessing XBL compilation scope via valueOf.call()
• 2006-15 Privilege escalation using a JavaScript function's cloned parent
• 2006-14 Privilege escalation via XBL.method.eval
• 2006-11 Crashes with evidence of memory corruption (rv:1.8)
• 2006-10 JavaScript garbage-collection hazard audit
• 2006-09 Cross-site JavaScript injection using event handlers