The vulnerability allows attackers to overwrite arrays, and inject and execute arbitrary code, by including certain formatting characters. The hole has been publicly known since last June and was rated extremely critical at least for the browsers.
While the flaw has reportedly been fixed in the forthcoming version 2.0.0.24 of Thunderbird, the only version currently available to download is 2.0.0.24pre. The current version of Thunderbird 2.x (2.0.0.23) was released last August. Why the Mozilla Foundation is taking so long to release a new version of Thunderbird 2.x is an open question. It could be that the development of Thunderbird 3 has drawn off all available resources. As the new version of the email client does not contain the flaw, users are advised to switch if they can.
The link for this article located at H Security is no longer available.