Bugzilla lists a total of 71 bugs that have been fixed in Mozilla Thunderbird 3.1.10, of which two have received the highest possible rating blocker. Additionally, 16 of the issues listed have received a severity rating of critical, and another four one of major.

Several of the fixes appear to be language related, for instance crash fixes when spell checking with French or Hungarian dictionaries, or update crashes when localized strings excess certain parameters.

Just check Bugzilla for the full list of fixes in this version of Thunderbird. The release, unlike that of Firefox 4.0.1 is already available for download at the official Mozilla Messaging website.

You can for instance download it from the official release notes page. It is likely that the email client will pick up the new release soon as well and display notifications in the application, so that in-application updates will become possible as well.

So what’s the deal with JavaScript and Thunderbird? The Thunderbird developers have apparently decided to remove JavaScript support in Thunderbird 3.

Due to various security considerations. Javascript has been disabled completely in message content (the javascript.allow.mailnews preference no longer has any effect). Javascript is enabled for remote content including RSS feeds.

JavaScript is still available for RSS feeds but not in message content. To begin with, this change likely affects only a minority of Thunderbird users, with most probably not even knowing that JavaScript was enabled at a time in the email client.

The definite answer at this point is that the developer’s have no intention of adding JavaScript again to the program. There is currently no config option or add-on that will bring back JavaScript in Thunderbird 3.

Thunderbird 3 users who read RSS feeds in the application might want to consider disabling JavaScript in this context as well to improve the security of the client. JavaScript is usually not needed to read RSS feeds although some media feeds might require it.

Here is how this is done:

Open the Tools > Options menu in Thunderbird. Switch to the Advanced tab and click the Config Editor button in the General sub-tab.

thunderbird 3 options

Confirm to be careful if this menu is opened for the first time. Enter JavaScript in the filter and locate the parameter JavaScript.enabled. Double-click that parameter to set it to false.

thunderbird javascript

This disables JavaScript for RSS feeds in Thunderbird 3. Scripts that are included are ignored by Thunderbird. It is not clear if a restart is required, it is recommended to restart to make sure the new setting is recognized by Thunderbird.

The update is a security update and it is therefor recommended to update immediately if Thunderbird is installed and in use on a computer system.

Interested users can take a look at the release notes for the new version which contain a link to the security issues that have been fixed.

The update fixes the following two critical and five moderate security vulnerabilities that can be exploited in earlier versions of the mail client:

• MFSA 2008-46 Heap overflow when canceling newsgroup message
• MFSA 2008-44 resource: traversal vulnerabilities
• MFSA 2008-43 BOM characters stripped from JavaScript before execution
• MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
• MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
• MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
• MFSA 2008-37 UTF-8 URL stack buffer overflow

The update checks in the email client can be used to download the latest version. Users find that option in the Help > Check for Updates menu in Thunderbird. Everyone else can use the link posted above to download the email client Thunderbird from the official Mozilla website.

The same security vulnerabilities that have been fixed in Firefox 2.0.0.6 have also been fixed in Thunderbird which means that you should update immediately to the latest version. As far as I can tell there are no new features in this version, at least all my extensions are still working fine.

The Rumbling Edge lists the following three fixes for Thunderbird 2.0.0.6

Fixed: MFSA 2007-27 – Unescaped URIs passed to external programs (Critical)
Fixed: MFSA 2007-26 – Privilege escalation through chrome-loaded about:blank windows (Moderate)
Fixed: 389106 – firefox may not escape quotes everywhere