Exploit code for the recently announced Mozilla Firefox 1.5 QueryInterface() Remote Code Execution has been released as a part of the metasploit framework. Get yours today, firefox update to 1.5.0.1 that is (No links to exploits here, sorry) .

See http://isc.sans.org/diary.php?storyid=1091 for more details.

In addition, Thunderbird is vulnerable if Javascript is enabled. It is not by default. There is no update for Thunderbird available at this time.