The Mozilla Foundation on Friday shipped a new version of its Thunderbird mail client to plug a potentially serious URL parsing security hole affecting Linux users.
The open-source group described Thunderbird 1.0.7 as a “security and stability update” that provides a comprehensive fix for the URL parsing bug that was also flagged in the Firefox browser.
That flaw, which affects Thunderbird users on Linux, has already been fixed in Firefox 1.0.7 and the Mozilla Suite 1.7.12. It could allow a malicious URL to execute shell commands with the privileges of the logged-on user.
The Foundation has earlier suggested that users avoid clicking on links in spam or other e-mails.
Security alerts aggregator Secunia Inc. rates the flaw as “highly critical.”
“We recommend that all users upgrade to this latest version,” the Foundation said.
Thunderbird is a full-featured e-mail, RSS and newsgroup client and is being marketed as the volunteer Foundations answer to Microsoft Corp.s Outlook.
Mozilla is also beta testing Thunderbird 1.5, but the security fixes have not yet been added to that update.
Thunderbird 1.5 Beta 1 promises an automated mechanism to streamline product upgrades; a built-in phishing detector to thwart e-mail scammers; Podcasting and RSS improvements; integration with server-side spam filtering, Kerberos authentication and several stability improvements.