I believe I have seen this with SSL Scanner. Do you have it turned on?
If yes, please try to add
into the "SSL Host Tunnel List".
Additionally, it's notable that the XPI format of the updates is essentially a zip - similar to .jar for Java. MWG extracts theses files and scans them. It can happen that MWG sends progress pages instead fo data trickles (depending on your config of course). Thunderbird expects binary data but is getting HTML from MWG and therefore the update or installation breaks. You might want to whitelist it as well for progress pages.
In addition to what Andre said, you also need to import the MWG Root CA into the certificate lists in Thunderbird.