The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker.

In early July, three researchers found a way to execute code in Firefox — and potentially other Windows programs — by passing it a malicious uniform resource identifier (URI) from Internet Explorer. The discovery lit off a firestorm of finger pointing: The Mozilla Foundation argued that IE should validate the URI before passing it along to another program, while Microsoft stated that input validation is the responsibility of the receiving program.

http://www.securityfocus.com/brief/553