Ubuntu has a security alert out on its Thunderbird e-mail client, with a flaw that could allow an attacker to take over a vulnerable PC.
Versions 5.10, 6.06 LTS and 6.10 are affected and can be fixed by upgrading to versions specified in Ubuntu’s alert.
Ubuntu says the problem is with the SSLv2 protocol support in the NSS library, which isn’t sufficiently checking the validity of public keys presented with a SSL certificate. “A malicious SSL Web site using SSLv2 could potentially exploit this to execute arbitrary code with the user’s privileges,” according to Ubuntu’s notice.
That same SSLv2 protocol support isn’t doing a good job at checking the validity of client master keys presented in an SSL client certificate. Again, remote attackers could exploit the flaw to execute code in a server application that uses the NSS library.
Finally, a handful of flaws have been reported that let an attacker gain user privileges and take over a PC by tricking a user into opening a malicious Web page.
