As though to put the proof to my statement in my entry to ***Dave that Mozilla/Firefox aren’t without their own holes, the folks at Mozilla.org are announcing a soon to be released update for their three big products to plug a vulnerability that’s been discovered:
Branches have been created for three of mozilla.org’s latest releases, in order to fix an external windows protocol handler bug. The fix involves disabling the shell: protocol handler, which was found to enable pages to run executables on Windows via a link. Builds should officially be available shortly, and there will also be an XPI offered to disable the pref. Alternatively, you can set the pref “network.protocol-handler.external.shell” in about:config to ‘false’ to also remove the exploit.
More information about the exploit can be found in this post on the Full Disclosure mailing list.
UPDATE! The XPI to disable the pref is now available.
New builds, a downloadable patch, and a by-hand work-around. What more could you ask for?