Bug Gets Mozilla's ThunderBird
Secunia, a Danish vulnerability tracking vendor, rated the bug -- which like the one disclosed Tuesday in the Linux edition of Firefox, relates to how the software processes URLs -- as "Extremely critical," the company's most dire warning.
The bug is in Thunderbird's parsing of URLs supplied on the command line, if, for instance, a user is tricked into clicking on a "mailto:" link within a browser which uses Thunderbird as its default e-mail client (as Firefox does). Any Linux commands enclosed in backticks are executed.
Although the bug has been reported, and according to Bugzilla, Mozilla's software- and bug-management center, a fix is underway, there is as yet no official patch or updated version of Thunderbird.
Secunia's only recommendation was a terse "Do not use Thunderbird as the default mail handler."
Only the Linux/Unix version of Thunderbird is at risk.