OMEN
05-02-2008, 09:55 PM
Fixes five flaws from five weeks ago
Mozilla Messaging, a subsidiary of the nonprofit Mozilla Foundation, yesterday patched five bugs in its Thunderbird e-mail client to fix flaws that were disclosed more than a month ago.
Thunderbird 2.0.0.14 patches vulnerabilities in the Firefox engine, which the open-source e-mailer uses to render HTML. The same holes were closed in late March for the Mozilla Web browser.
The bugs, which could be exploited by rogue JavaScript, had gone unfixed in Thunderbird because of resource shortages at the Mozilla spin-off, according to comments made at the time by CEO David Ascher. "Some of those resource contentions are due to not enough automation for the Thunderbird release process, and some of it is the consequence of not enough people with the right training," he said.
Rather than delay updates to Firefox users -- who greatly outnumber those who use Thunderbird -- Mozilla decided not to wait until Thunderbird's fixes could be crafted.
Mozilla Messaging rated yesterday's vulnerabilities as "moderate," the second level in its four-step threat-ranking system, even though they were originally labeled as "critical" when patched in Firefox.
"Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail," Mozilla said in the security advisories that accompanied yesterday's update. "This is not the default setting, and we strongly discourage users from running JavaScript in mail."
Thunderbird 2.0.0.14 can be downloaded from the Mozilla site in versions for Windows, Mac OS X and Linux. Users running the e-mail client can call up its built-in updater or wait for the automatic update notification, which typically appears within 48 hours after a new version is added to Mozilla's servers.
Most of Mozilla Messaging attention is now on Thunderbird 3.0, which has yet to release in its first alpha version. The company has not committed to a release schedule for the e-mail client's next major upgrade.
Mozilla Messaging was created last year as a companion to Mozilla Corp. after Mitchell Baker, then CEO of Mozilla Corp., said her company would stop development because it needed to focus on its browser. Baker seeded Mozilla Messaging with $3 million in start-up cash last September and hired Ascher, who had lead the Python projects at ActiveState Software Inc, a programming tools developer in Vancouver, British Columbia.
Compworld
Mozilla Messaging, a subsidiary of the nonprofit Mozilla Foundation, yesterday patched five bugs in its Thunderbird e-mail client to fix flaws that were disclosed more than a month ago.
Thunderbird 2.0.0.14 patches vulnerabilities in the Firefox engine, which the open-source e-mailer uses to render HTML. The same holes were closed in late March for the Mozilla Web browser.
The bugs, which could be exploited by rogue JavaScript, had gone unfixed in Thunderbird because of resource shortages at the Mozilla spin-off, according to comments made at the time by CEO David Ascher. "Some of those resource contentions are due to not enough automation for the Thunderbird release process, and some of it is the consequence of not enough people with the right training," he said.
Rather than delay updates to Firefox users -- who greatly outnumber those who use Thunderbird -- Mozilla decided not to wait until Thunderbird's fixes could be crafted.
Mozilla Messaging rated yesterday's vulnerabilities as "moderate," the second level in its four-step threat-ranking system, even though they were originally labeled as "critical" when patched in Firefox.
"Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail," Mozilla said in the security advisories that accompanied yesterday's update. "This is not the default setting, and we strongly discourage users from running JavaScript in mail."
Thunderbird 2.0.0.14 can be downloaded from the Mozilla site in versions for Windows, Mac OS X and Linux. Users running the e-mail client can call up its built-in updater or wait for the automatic update notification, which typically appears within 48 hours after a new version is added to Mozilla's servers.
Most of Mozilla Messaging attention is now on Thunderbird 3.0, which has yet to release in its first alpha version. The company has not committed to a release schedule for the e-mail client's next major upgrade.
Mozilla Messaging was created last year as a companion to Mozilla Corp. after Mitchell Baker, then CEO of Mozilla Corp., said her company would stop development because it needed to focus on its browser. Baker seeded Mozilla Messaging with $3 million in start-up cash last September and hired Ascher, who had lead the Python projects at ActiveState Software Inc, a programming tools developer in Vancouver, British Columbia.
Compworld