Users are being urged to update their copies of
Mozilla's Thunderbird and SeaMonkey email applications after the disclosure of a serious security flaw.
The
advisory warns of a 'critical' flaw in the two applications which could allow an attacker to remotely execute code on compromised systems.
Mozilla said that the vulnerability lies in the way Thunderbird handles Mime content in email messages.
By sending a specially crafted message, an attacker could trigger a buffer overflow error which would leave the user vulnerable to the remote installation and launch of malware.
Discovery of the flaw was credited to a security researcher using the name 'regenrecht', who reported the vulnerability in January via
iDefense.
The vulnerability is patched in Thunderbird 2.0.0.12 and SeaMonkey 1.1.8. The
US Computer Emergency Response Team recommended that users update to the latest versions of both applications.
Users can also patch the flaw by changing the application's 'mailnews.display.disallow_mime_handlers' property to any value greater than three.
News of the vulnerability comes just one week after Mozilla spun off Thunderbird into a subsidiary company known as
Mozilla Messaging.
