The latest update to the open-source browser shores up a number of security risks, including some that Mozilla says could be exploited by an attacker to run commands on a vulnerable computer. But the flaws still affect the current Thunderbird release, 220.127.116.11.
One of the bugs involves a library used for PNG images, and could presumably be triggered by a poisoned image on a Web page. The second would be harder to exploit, as its description says you'd have to reload a page specially crafted to target a memory management flaw to get hit.
The other critical flaws could potentially allow an attacker to crash the program and run arbitrary code, which usually means installing malware.
These risks all affect the Thunderbird e-mail program as well as Firefox, but the Mozilla advisories says the Thunderbird fixes won't come until version 18.104.22.168. Thunderbird is only at 22.214.171.124 right now.