Thunderbird Flaw Fixed

Tuesday, January 28, 2014 @ 04:01 PM gHale

Mozilla fixed a critical vulnerability in the desktop version of the Thunderbird email client.

Ateeq ur Rehman Khan, a Pakistani security researcher from Vulnerability Laboratory reported the issue to Mozilla in May 2013, but the company confirmed fixing it earlier this month.

Flaw in Microsoft Cloud Offering
Top 10 DDoS Attack Trends
More Malware Working in Cloud
Mobile Apps Growing in DDoS Attacks

The validation and filter bypass vulnerability ended up successfully reproduced on Thunderbird 17.0.6, which at the time of the testing was the latest version.

The flaw existed in Mozilla’s Gecko engine. This means the vulnerability could have an impact on other applications that use Gecko, including SeaMonkey.

Attackers could have easily bypassed the security controls and filters used in Thunderbird by using a traditional tag, which the application was filtering, according to a Vulnerability Lab report.

The flaw first came to light after researchers attached a debugger to Thunderbird.exe, the application’s main executable, and analyzed the application’s backend responses.

“By default, HTML tags like script and iframe are blocked in Thunderbird and get filtered immediately upon insertion,” the researcher said.

“However, while drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads with base64 encryption and using the object tag and insert malicious scripts / code eg. (script / frame) within the emails and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the ‘Reply’ or ‘Forward’ Buttons.”

“After successfully bypassing the input filters, an attacker can inject malicious persistent script code while writing a new email and send it to victims,” the report said. “Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or Forward, the injected code gets executed successfully.”

“This sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete compromise of the end user system. The persistent code injection vulnerability is located within the main application.”

An attacker only needs low or medium user interaction to exploit this vulnerability. If it ends up exploited successfully, the security flaw can run malicious code or scripts within the victim’s Thunderbird desktop application engine.

The vulnerability rated a “sec-critical/sec-high” from the Mozilla Security Team after the Vulnerability Lab team demonstrated multiple attacking scenarios.

Leave a Reply

You must be logged in to post a comment.