The open source browser would normally restrict the level of access given to such code, but when the code is delivered through Internet Explorer the restrictions are not in place.
An attacker could simply attach the malicious code to a URL instructing Internet Explorer to launch Firefox and run the exploit.
A similar flaw was later found to exist in AIM instant messaging clients. The researchers who discovered the AIM flaw suggested that both vulnerabilities are down to the way the Uniform Resource Identifiers are handled.
Mozilla stressed that the fix will only prevent the Firefox end of the attack. Microsoft said that it is investigating the Internet Explorer reports.
Along with the cross-browser vulnerability, two further critical flaws were addressed in the Firefox update.
The first allowed attackers to execute arbitrary code by way of what Mozilla categorises as "an unspecified element outside a document".
The update also includes fixes for a pair of cross-site scripting vulnerabilities and a flaw that could allow an attacker to access a user's web cache.
The update is available through the Firefox website or through the browser's automatic update feature.
Mozilla patches cross-browser Firefox flaw
By Shaun Nichols on Jul 23, 2007 12:09PM