Risk: Medium
Four vulnerabilities have been discovered in Thunderbird 1.5.x that may allow an attacker to bypass certain security restrictions, conduct cross site scripting attacks and potentially compromise a vulnerable system:
1. The bundled Network Security Services (NSS) library contains an incomplete fix for the RSA signature verification vulnerability.
2. There is a scripting objects handling error, which can be potentially be exploited to execute arbitrary JavaScript bytecode by modifying Script objects that are already running. However, successful exploitation is only possible if JavaScript is enabled.
3. Some unspecified errors in the layout engine and memory corruption errors in the JavaScript engine can be exploited to crash the application and may allow the execution of arbitrary code. However, successful exploitation of some of these vulnerabilities is only possible if JavaScript is enabled.
4. An unspecified error within XML.prototype.hasOwnProperty can potentially be exploited to execute arbitrary code.
Mozilla recommends updating to version 1.5.0.8 to safeguard against these vulnerabilities.