eEye Digital Security

I run Thunderbird 2.0.0.22 and Thunderbird 3.0b2 and I can't get rid of the two vulnerabilities which is supposed to be fixed by 2.0.0.22.

Is the detection scheme not working?

can you paste the audit findings here in the forum? That'll help me trace the audit to let you know how we're detecting it.

Thanks.

bpatten:

can you paste the audit findings here in the forum? That'll help me trace the audit to let you know how we're detecting it.

Thanks.

Is this what you are asking for?

and the second one:

bpatten:

can you paste the audit findings here in the forum? That'll help me trace the audit to let you know how we're detecting it.

Thanks.

By the way the header for the first audit was: Mozilla Multiple Vulnerabilities (20090421) - Windows - Thunderbird

and the second one was: Mozilla Multiple Vulnerabilities (20090611) - Windows - Thunderbird

Sorry, I should have included them...  By the way, I do not have Seamonkey. I have Firefox 3.5 RC3 installed.

It appears that the audit is looking at the file version:

%ProgramFiles%\Mozilla Thunderbird\thunderbird.exe

Can you make sure thunderbird is above 2.0.0.22?

Thanks.

bpatten:

It appears that the audit is looking at the file version:

%ProgramFiles%\Mozilla Thunderbird\thunderbird.exe

Can you make sure thunderbird is above 2.0.0.22?

Thanks.

 

C:\Program Files\Mozilla Thunderbird\thunderbird.exe properties product version lists as 2.0.0.22, and file version as 1.8.1.22: 2009060502

C:\Program Files\Mozilla Thunderbird 3 Beta 2\thunderbird,exe properties product version lists as 3.0b2, and file versions as 1.9.1b3pre

vkundakci:

bpatten:

It appears that the audit is looking at the file version:

%ProgramFiles%\Mozilla Thunderbird\thunderbird.exe

Can you make sure thunderbird is above 2.0.0.22?

Thanks.

 

 

C:\Program Files\Mozilla Thunderbird\thunderbird.exe properties product version lists as 2.0.0.22, and file version as 1.8.1.22: 2009060502

C:\Program Files\Mozilla Thunderbird 3 Beta 2\thunderbird,exe properties product version lists as 3.0b2, and file versions as 1.9.1b3pre

 

It might be flagging since there was no patched version available to correctly determine the fixed level at the time of the audit was written.  This is not uncommon with Thunderbird--Historically for the past several security releases, Mozilla has stated a certain version of Thunderbird has been patched in a certain version, but upon going to the main site to download, you are offered a vulnerable version to download.   I believe it was their update with Firefox 3.0.11 that stated SeaMonkey and Thunderbird should disable javascript to mitigate vulnerabilities since a fixed version was not  yet available.  To be quite honest, the audit may simply just need to be updated to detect the patched version--and please beware when using Thunderbird--I highly recommend you disable Javascript since this app is typically not patched in the same timely manner as Firefox is...

nomuus:

It might be flagging since there was no patched version available to correctly determine the fixed level at the time of the audit was written.  This is not uncommon with Thunderbird--Historically for the past several security releases, Mozilla has stated a certain version of Thunderbird has been patched in a certain version, but upon going to the main site to download, you are offered a vulnerable version to download.   I believe it was their update with Firefox 3.0.11 that stated SeaMonkey and Thunderbird should disable javascript to mitigate vulnerabilities since a fixed version was not  yet available.  To be quite honest, the audit may simply just need to be updated to detect the patched version--and please beware when using Thunderbird--I highly recommend you disable Javascript since this app is typically not patched in the same timely manner as Firefox is...

Thanks.  In config editor I see that javascript.enabled is set to false.  I don't see any other places to set this in Thunderbird.  Thunderbird 2.0.0.22 just came out recently.  So can I assume that the Blink's audit will be updated?

 Yes, It will be looked into and updated if necessary.

I just wanted to add that I'm seeing the same here.  All the machines in my lab have been updated to Thunderbird 2.0.0.22 and Retina is reporting a false positive on all of them (which is killing my Level 1 vulnerability tally, BTW).  Please fix the regular expression in your audit rule ASAP.  In the meantime, I'm filtering this rule out of my audits.  Thanks!

Pierce

vkundakci:

 

By the way the header for the first audit was: Mozilla Multiple Vulnerabilities (20090421) - Windows - Thunderbird

and the second one was: Mozilla Multiple Vulnerabilities (20090611) - Windows - Thunderbird

 

Sorry, I should have included them...  By the way, I do not have Seamonkey. I have Firefox 3.5 RC3 installed.

 

This should be fixed in the next audits release 2104.  Btw, just in case you didn't get the several annoying notifications from Mozilla like the rest of us (heh:) Firefox 3.5 is now GA.

nomuus:

This should be fixed in the next audits release 2104.  Btw, just in case you didn't get the several annoying notifications from Mozilla like the rest of us (heh:) Firefox 3.5 is now GA.

Thanks,  I did not get anything (annoying or otherwise) from Mozilla but, yes, I am now running 3.5.  Maybe I did, but I am used to tuning out nagging notices...