Vulnerability Assessment

Re: Thunderbird vulnerability fix not detected

vkundakci — Fri, 10 Jul 2009 03:23:32 GMT

nomuus:

This should be fixed in the next audits release 2104. Btw, just in case you didn't get the several annoying notifications from Mozilla like the rest of us (heh:) Firefox 3.5 is now GA.

Thanks, I did not get anything (annoying or otherwise) from Mozilla but, yes, I am now running 3.5. Maybe I did, but I am used to tuning out nagging notices...

Re: Thunderbird vulnerability fix not detected

nomuus — Thu, 09 Jul 2009 23:01:58 GMT

vkundakci:

By the way the header for the first audit was: Mozilla Multiple Vulnerabilities (20090421) - Windows - Thunderbird

and the second one was: Mozilla Multiple Vulnerabilities (20090611) - Windows - Thunderbird

Sorry, I should have included them... By the way, I do not have Seamonkey. I have Firefox 3.5 RC3 installed.

This should be fixed in the next audits release 2104. Btw, just in case you didn't get the several annoying notifications from Mozilla like the rest of us (heh:) Firefox 3.5 is now GA.

Re: Thunderbird vulnerability fix not detected

xepiercex — Thu, 09 Jul 2009 22:34:03 GMT

I just wanted to add that I'm seeing the same here. All the machines in my lab have been updated to Thunderbird 2.0.0.22 and Retina is reporting a false positive on all of them (which is killing my Level 1 vulnerability tally, BTW). Please fix the regular expression in your audit rule ASAP. In the meantime, I'm filtering this rule out of my audits. Thanks!

Pierce

Re: Thunderbird vulnerability fix not detected

nomuus — Mon, 06 Jul 2009 16:53:10 GMT

Yes, It will be looked into and updated if necessary.

Re: Thunderbird vulnerability fix not detected

vkundakci — Mon, 06 Jul 2009 02:07:52 GMT

nomuus:

It might be flagging since there was no patched version available to correctly determine the fixed level at the time of the audit was written. This is not uncommon with Thunderbird--Historically for the past several security releases, Mozilla has stated a certain version of Thunderbird has been patched in a certain version, but upon going to the main site to download, you are offered a vulnerable version to download. I believe it was their update with Firefox 3.0.11 that stated SeaMonkey and Thunderbird should disable javascript to mitigate vulnerabilities since a fixed version was not yet available. To be quite honest, the audit may simply just need to be updated to detect the patched version--and please beware when using Thunderbird--I highly recommend you disable Javascript since this app is typically not patched in the same timely manner as Firefox is...

Thanks. In config editor I see that javascript.enabled is set to false. I don't see any other places to set this in Thunderbird. Thunderbird 2.0.0.22 just came out recently. So can I assume that the Blink's audit will be updated?

Re: Thunderbird vulnerability fix not detected

nomuus — Fri, 03 Jul 2009 18:43:37 GMT

vkundakci:

bpatten:

It appears that the audit is looking at the file version:

%ProgramFiles%\Mozilla Thunderbird\thunderbird.exe

Can you make sure thunderbird is above 2.0.0.22?

Thanks.

C:\Program Files\Mozilla Thunderbird\thunderbird.exe properties product version lists as 2.0.0.22, and file version as 1.8.1.22: 2009060502

C:\Program Files\Mozilla Thunderbird 3 Beta 2\thunderbird,exe properties product version lists as 3.0b2, and file versions as 1.9.1b3pre

It might be flagging since there was no patched version available to correctly determine the fixed level at the time of the audit was written. This is not uncommon with Thunderbird--Historically for the past several security releases, Mozilla has stated a certain version of Thunderbird has been patched in a certain version, but upon going to the main site to download, you are offered a vulnerable version to download. I believe it was their update with Firefox 3.0.11 that stated SeaMonkey and Thunderbird should disable javascript to mitigate vulnerabilities since a fixed version was not yet available. To be quite honest, the audit may simply just need to be updated to detect the patched version--and please beware when using Thunderbird--I highly recommend you disable Javascript since this app is typically not patched in the same timely manner as Firefox is...

Re: Thunderbird vulnerability fix not detected

vkundakci — Tue, 30 Jun 2009 23:36:41 GMT

bpatten:

It appears that the audit is looking at the file version:

%ProgramFiles%\Mozilla Thunderbird\thunderbird.exe

Can you make sure thunderbird is above 2.0.0.22?

Thanks.

C:\Program Files\Mozilla Thunderbird\thunderbird.exe properties product version lists as 2.0.0.22, and file version as 1.8.1.22: 2009060502

C:\Program Files\Mozilla Thunderbird 3 Beta 2\thunderbird,exe properties product version lists as 3.0b2, and file versions as 1.9.1b3pre

Re: Thunderbird vulnerability fix not detected

bpatten — Tue, 30 Jun 2009 03:07:30 GMT

It appears that the audit is looking at the file version:

%ProgramFiles%\Mozilla Thunderbird\thunderbird.exe

Can you make sure thunderbird is above 2.0.0.22?

Thanks.

Re: Thunderbird vulnerability fix not detected

vkundakci — Fri, 26 Jun 2009 20:32:23 GMT

bpatten:

can you paste the audit findings here in the forum? That'll help me trace the audit to let you know how we're detecting it.

Thanks.

By the way the header for the first audit was: Mozilla Multiple Vulnerabilities (20090421) - Windows - Thunderbird

and the second one was: Mozilla Multiple Vulnerabilities (20090611) - Windows - Thunderbird

Sorry, I should have included them... By the way, I do not have Seamonkey. I have Firefox 3.5 RC3 installed.

Re: Thunderbird vulnerability fix not detected

vkundakci — Fri, 26 Jun 2009 20:26:09 GMT

bpatten:

can you paste the audit findings here in the forum? That'll help me trace the audit to let you know how we're detecting it.

Thanks.

Is this what you are asking for?

BID	34656, 33837
CVE	CVE-2009-1312, CVE-2009-1310, CVE-2009-1306, CVE-2009-1308, CVE-2009-1307, CVE-2009-1309, CVE-2009-0652, CVE-2009-1304, CVE-2009-1305, CVE-2009-1311, CVE-2009-1303, CVE-2009-1302
Description	Multiple vulnerabilities exist in Mozilla products (Firefox, Thunderbird, SeaMonkey) that could potentially allow an attacker to execute arbitrary code, bypass the same origin policy, read/write local shared objects, inject/execute arbitrary HTML or script code, spoof URLs, obtain potentially sensitive information, and/or cause denial of service conditions.
How To Fix	Update to Firefox 3.0.9, Thunderbird 2.0.0.22, SeaMonkey 1.1.16, or newest version of these products.
Links	Mozilla SeaMonkey 1.1 - Vulnerabilities Mozilla Firefox 3.0 - Vulnerabilities Secunia Advisory - 34758 Mozilla Advisory - MFSA 2009-15 Mozilla Thunderbird 2.0 - Vulnerabilities Mozilla Advisory - MFSA 2009-19 Fedora Advisory - FEDORA-2009-3893 Mozilla Advisory - MFSA 2009-16 Mozilla Advisory - MFSA 2009-17 Mozilla Advisory - MFSA 2009-14 Mozilla Advisory - MFSA 2009-20 Mozilla Advisory - MFSA 2009-21 Mozilla Advisory - MFSA 2009-18 Fedora Advisory - FEDORA-2009-3875 Mozilla Advisory - MFSA 2009-22
Risk	High

and the second one:

BID	35391, 35371, 35360, 35372, 35373, 35380, 35370, 35377, 35388, 35383, 35386
CVE	CVE-2009-1836, CVE-2009-1841, CVE-2009-1838, CVE-2009-1834, CVE-2009-1392, CVE-2009-1839, CVE-2009-1840, CVE-2009-1835, CVE-2009-1832, CVE-2009-1837, CVE-2009-1833
Description	Multiple vulnerabilities exist in Mozilla products (Firefox, Thunderbird, SeaMonkey) that could potentially allow an attacker to execute arbitrary code, bypass content-policy checks, steal arbitrary cookies, intercept SSL-based proxy requests, execute arbitrary JavaScript with chrome privileges, access arbitrary local files, and/or spoof location bar URLs.
How To Fix	Update to Firefox 3.0.11, Thunderbird 2.0.0.22, SeaMonkey 1.1.17, or newest version of these products. Note: Thunderbird and SeaMonkey fixes may not be available. As such, Mozilla suggests disabling JavaScript to deter exploitation of certain vulnerabilities.
Links	Mozilla Advisory - MFSA 2009-28 Mozilla Firefox 3.0 - Vulnerabilities Red Hat Advisory - RHSA-2009-1096 Mozilla Advisory - MFSA 2009-26 Mozilla Thunderbird 2.0 - Vulnerabilities Mozilla Advisory - MFSA 2009-32 Fedora Advisory - FEDORA-2009-6366 Mozilla Advisory - MFSA 2009-29 Mozilla Advisory - MFSA 2009-25 Mozilla Advisory - MFSA 2009-30 Mozilla Advisory - MFSA 2009-27 Red Hat Advisory - RHSA-2009-1095 Secunia Advisory - 35331 Mozilla SeaMonkey 1.1 - Vulnerabilities Mozilla Advisory - MFSA 2009-24 Mozilla Advisory - MFSA 2009-31 Fedora Advisory - FEDORA-2009-6411
Risk	High

Re: Thunderbird vulnerability fix not detected

bpatten — Fri, 26 Jun 2009 15:11:17 GMT

can you paste the audit findings here in the forum? That'll help me trace the audit to let you know how we're detecting it.

Thanks.

Thunderbird vulnerability fix not detected

vkundakci — Fri, 26 Jun 2009 00:22:20 GMT

I run Thunderbird 2.0.0.22 and Thunderbird 3.0b2 and I can't get rid of the two vulnerabilities which is supposed to be fixed by 2.0.0.22.

Is the detection scheme not working?