Mozilla has fixed a drag-and-drop vulnerability in Thunderbird that attackers could exploit to plant malware on targeted machines. The vendor addressed the same problem in Firefox and the Mozilla Suite earlier this month.
"Images dragged and dropped from a Web page to the desktop preserved their original name and extension. If this were an executable extension then the file would be executed rather than opened in a media application," Mozilla said in an advisory.
Danish security firm Secunia said an attacker could exploit this condition to plant malware on targeted systems. Secunia said the problem has been addressed in version 1.0.2 of the Thunderbird e-mail service. Mozilla said the problem has also been fixed in Firefox 1.0.1 and Mozilla 1.7.6.
Mozilla did note in its advisory that an attacker would have to put some effort into exploiting this security hole.
"In order to exploit this, the attacker would have to construct a valid image that was also a valid executable," the advisory said. "The attacker must convince the user to drag the image to their desktop and sometime later double click on it without noticing it has an executable icon rather than the expected media-type image."
As a workaround, Mozilla recommended users not hide Windows extensions. "Be cautious downloading files from untrusted sites," the advisory added.
Besides the drag-and-drop issue, Secunia said Firefox 1.0.1 and Mozilla 1.7.6 address other vulnerabilities reported earlier:
- An error in the restriction of URI handlers loaded via plug-ins can be exploited to link to certain restricted URIs.