A bug was found in the way Thunderbird handles <img> tags. To quote the upstream bug: When javascript: url is set by script, the access checks work properly. <img id="i"> i.src = "javascript:..."; But, when javascript: url is set by <img> (or <link>, <style>) tag, the access checks don't work properly. <img src="javascript:..."> Thus, sandboxed script can access xbl.method's clone parent and xbl compilation scope to run arbitrary code with chrome privileges.
Lifting embargo
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0078.html
This flaw does not affect Thunderbird as previously thought. This is noted in the upstream advisory: http://www.mozilla.org/security/announce/2007/mfsa2007-09.html