Mozilla patches critical Thunderbird flaw

Mozilla patches critical Thunderbird flaw


Attackers could remotely execute code on compromised systems

Users are being urged to update their copies of Mozilla's Thunderbird and SeaMonkey email applications after the disclosure of a serious security flaw.

The advisory warns of a 'critical' flaw in the two applications which could allow an attacker to remotely execute code on compromised systems.

Mozilla said that the vulnerability lies in the way Thunderbird handles Mime content in email messages.

By sending a specially crafted message, an attacker could trigger a buffer overflow error which would leave the user vulnerable to the remote installation and launch of malware.

Discovery of the flaw was credited to a security researcher using the name 'regenrecht', who reported the vulnerability in January via iDefense.

The vulnerability is patched in Thunderbird 2.0.0.12 and SeaMonkey 1.1.8. The US Computer Emergency Response Team recommended that users update to the latest versions of both applications.

Users can also patch the flaw by changing the application's 'mailnews.display.disallow_mime_handlers' property to any value greater than three.

News of the vulnerability comes just one week after Mozilla spun off Thunderbird into a subsidiary company known as Mozilla Messaging.