The Mozilla Foundation acknowledged over the weekend that its own
Firefox browser allows links that can send malicious code to external
programs, a security issue that the group had previously argued should
be fixed by the browser maker.

In early July, three researchers found a way to execute code
in Firefox — and potentially other Windows programs — by passing it a
malicious uniform resource identifier (URI) from Internet Explorer. The
discovery lit off a firestorm of finger pointing: The Mozilla Foundation argued that IE should validate the URI before passing it along to another program, while Microsoft stated that input validation is the responsibility of the receiving program.

http://www.securityfocus.com/brief/553