The protocol handling errors were discovered by security researcher Billy Rios. Mozilla released Firefox 3.0.1 and Firefox 22.214.171.124.
Rios said an attacker can pass the URI from a remote Web page to FireFox.exe.
Mozilla said URIs pose a danger by allowing an attacker to read data or place a malicious file on the victim’s hard drive.
“This attack only works if the user is using another internet-connected application with Firefox not running. Using Firefox, or making sure it is at least running, prevents this attack,” Mozilla said in its advisory.
Rios also discovered a flaw in the Opera browser, which has been fixed. In both cases, Rios said the browser security teams worked quickly and took the threats seriously.