SillyDog701

[Ramona]

TITLE:
Mozilla Thunderbird Attachment Spoofing Vulnerability

SECUNIA ADVISORY ID:
SA15907

VERIFY ADVISORY:
http://secunia.com/advisories/15907/

CRITICAL:
Less critical

IMPACT:
Spoofing, System access

WHERE:
>From remote

SOFTWARE:
Mozilla Thunderbird 1.x
http://secunia.com/product/4652/

DESCRIPTION:
Secunia Research has discovered a vulnerability in Thunderbird, which
can be exploited by malicious people to trick users into executing
arbitrary programs.

The vulnerability is caused due to attachments not being displayed
correctly in mails. This can be exploited to spoof the file extension
and the associated file type icon via a combination of overly long
filenames containing whitespaces and "Content-Type" headers not
matching the file extension.

Successful exploitation may lead to malware being saved to e.g. the
desktop.

NOTE: Attachments can be saved by dragging the attachment, or using
the "Save As..." or "Save All..." functionality. For files on the
desktop, the icon can be spoofed if it e.g. is a ".exe" or ".lnk"
file.

The vulnerability has been confirmed in versions 1.0.2, 1.0.6, and
1.0.7. Other versions may also be affected. Only the Microsoft
Windows platform is affected.

SOLUTION:
Update to version 1.5.
http://www.mozilla.com/thunderbird/

PROVIDED AND/OR DISCOVERED BY:
Andreas Sandblad, Secunia Research.

ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2005-22/advisory/

OTHER REFERENCES:
https://bugzilla.mozilla.org/show_bug.cgi?id=300246

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 (ax)

[J-M]

Thanks for sharing the word, you was quick.

It appears that both Secunia and FrSIRT companies rated this as low-risk:

Secunia: Less Critical (2/5)
FrSIRT: Low Risk (1/4)

FrSIRT's advisory is located at http://www.frsirt.com/english/advisories/2006/0230

The risk that malicious users will generate long file names including a lot of spaces is not so high.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7

[Antony]

TITLE:
Mozilla Thunderbird Attachment Spoofing Vulnerability

...
DESCRIPTION:
Secunia Research has discovered a vulnerability in Thunderbird, which
can be exploited by malicious people to trick users into executing
arbitrary programs.

The vulnerability is caused due to attachments not being displayed
correctly in mails. This can be exploited to spoof the file extension
and the associated file type icon via a combination of overly long
filenames containing whitespaces and "Content-Type" headers not
matching the file extension.

Successful exploitation may lead to malware being saved to e.g. the
desktop.

NOTE: Attachments can be saved by dragging the attachment, or using
the "Save As..." or "Save All..." functionality. For files on the
desktop, the icon can be spoofed if it e.g. is a ".exe" or ".lnk"
file.

The vulnerability has been confirmed in versions 1.0.2, 1.0.6, and
1.0.7. Other versions may also be affected. Only the Microsoft
Windows platform is affected.

SOLUTION:
Update to version 1.5.
http://www.mozilla.com/thunderbird/

My old fashioned recommendation... don't open untrusted emails and attachments.

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8