In my previous post I detailed how the Mozilla suite has an unpatched input validation vulnerability in how it handles URL protocol handlers. Together with this I detailed several XPI exploits that could be used to target Thunderbird 2.0.0.4.

I detailed my reason for publishing this vulnerability report in my Bugtraq post.

Thunderbird 2.0.0.5 was released on July 19 and incidentally fixed this specific attack vector through its “osint” command line flag. It is now 6 days later and people should have had time to update their Thunderbird installations, so I have decided to publish my vulnerability report together with the exploits as they detail how to handle XPI exploitation.

Unfortunately, the latest release of Thunderbird 1.5, version 1.5.0.12, has not been updated with this “osint” security patch and as such all Thunderbird 1.5 users are vulnerable against this attack and those exploits. Now would be a good time to upgrade to Thunderbird 2.0.

I stayed with Thunderbird 1.0 for quite a while myself out of concern for the upgrade process and the potential for losing emails. If you have those same concerns I can highly recommend MozBackup, which does a great job in ensuring that all of your data is safely transitioned from Thunderbird 1.5 to Thunderbird 2.0.

Bugzilla reports #389610 and #389613 are the currently open Bugzilla reports that are focused on backporting the “osint” security patch to the older Thunderbird 1.5 branch.