The latest update to the open-source browser shores up a number of security risks, including some that Mozilla says could be exploited by an attacker to run commands on a vulnerable computer. But the flaws still affect the current Thunderbird release, 2.0.0.19.
One of the bugs involves a library used for PNG images, and could presumably be triggered by a poisoned image on a Web page. The second would be harder to exploit, as its description says you’d have to reload a page specially crafted to target a memory management flaw to get hit.
The other critical flaws could potentially allow an attacker to crash the program and run arbitrary code, which usually means installing malware.
These risks all affect the Thunderbird e-mail program as well as Firefox, but the Mozilla advisories says the Thunderbird fixes won’t come until version 2.0.0.21. Thunderbird is only at 2.0.0.19 right now.
Until the Thunderbird fix comes around, users should be able to to mitigate the first risk with PNG images by only loading images in trusted e-mails. The others can be evaded by making sure Javascript is disabled in mail (the default setting).