If you use any Mozilla products (including Firefox or Thunderbird) on a Windows platform, there is a fairly serious security hole that you should patch:

“Windows versions of Mozilla products pass URIs using the shell: scheme to the OS for handling. The effects depend on the version of windows, but on Windows XP it is possible to launch executables in known locations or the default handlers for file extensions. It could be possible to combine this effect with a known buffer overrun in one of these programs to create a remote execution exploit, although at this time we have confirmed only denial-of-service type attacks (including crashing the system in some cases).” — Dan Veditz (Mozilla Security Group)

There was a kerfuffle yesterday on Full-Disclosure (a security mailing list) because someone posted a shell: protocol vulnerability for Internet Explorer. The same type of problem was announced as affecting Mozilla today.

Read more (and find patch information) at mozilla.org.