Mozilla Releases Fixes For Thunderbird Bugs

Mozilla released an update to its Thunderbird e-mail client, patching two security vulnerabilities.

Both flaws were patched in Mozilla's browser earlier this week, with the release of Firefox 2.0.0.6. Thunderbird is getting a similar update with release 2.0.0.6 of its own.

Both vulnerabilities are related to another bug that Mozilla fixed in mid-July. That bug, rated "highly critical," had been plaguing both Firefox and Microsoft's Internet Explorer. After days of fervent online debate, Mozilla admitted about a week ago that Firefox was as much to blame as IE for the problem that caused dangerous data to be passed to third-party applications.

One fix -- MFSA 2007-27 -- takes care of an issue where Mozilla didn't percent-encode spaces and double-quotes in URIs handed off to external programs for handling. While Mozilla's advisory noted that the level of danger depends on the arguments that the receiving program supports, Thunderbird 2.0.0.4 and older versions could be used to run arbitrary script.

Mozilla is crediting researcher Jesper Johansson for pointing out the flaw, and Billy Rios and Nate McFeters for discovering a similar issue with URIs passed to external handlers.

The second fix -- MFSA 2007-26 -- takes care of a bug that was introduced by the patch for MFSA 2007-20. The vulnerability could enable privilege escalation attacks against add-ons that create "about:blank" windows. A Mozilla researcher, called moz_bug_r_a4, is credited with reporting this bug. Just last week, Mozilla effectively gave Thunderbird the boot. In a blog post, Mozilla CEO Mitchell Baker wrote, "We have concluded that we should find a new, separate organizational setting for Thunderbird; one that allows the Thunderbird community to determine its own destiny."

It's a move that Mozilla said actually is for Thunderbird's own good. The organization is putting so much of its muscle behind the push for Firefox that Thunderbird simply hasn't been getting the attention it needs.