The Thunderbird email client is only available in an Extended Support Release these days, meaning it gets regular security patches but infrequent product enhancements; it hits 17.0.6.
Microsoft’s May 2013 Internet Explorer updates included two patches for which the world was waiting with bated breath – one to fix a vulnerability exposed at the 2013 PWN2OWN competition, and a second to close a much-publicised zero-day briefly found on a US government website at the end of April.
Mozilla, on the other hand, fixed its own PWN2OWN-found flaws within 24 hours, so its last two updates, 20.0 and 21.0, have been largely proactive on the security front.
Three of those close multiple holes that Mozilla admits “are potentially exploitable, allowing for remote code execution.”
→ Memory corruption problems, where software incorrectly writes over its own or another program’s code or data structures, are not always exploitable for malicious purposes. But they are always wrong, and often dangerous, especially in browsers and email clients, which spend most of their time processing content from untrusted external sources.
Mozilla, very creditably, tends not to mince its words when dealing with bugs of this sort.
For example, in Mozilla Foundation Security Advisory 2013-41, no exploits were immediately obvious for any of the bugs fixed, leading the team to report nothing worse that than “we presume that with enough effort at least some of these could be exploited to run arbitrary code.”
Nevertheless, this advisory was rated Critical.
Many users will have Firefox set to grab and deploy updates automatically; if you’re one of those who don’t, it’s Make Your Mind Up Time!
If it helps you to decide, I just published this story in Firefox 21.0 on OS X, immediately after updating.
That’s a very minor and entirely unrepresentative “test”, but I’m pleased to say my plugins (including the Firebug debugger) have all behaved themselves, and I haven’t had any problems.
So I think you may as well go ahead too…