"Branches have been created for three of mozilla.org's latest releases, in order to fix an external Windows protocol handler bug. The fix involves disabling the shell: protocol handler, which was found to enable pages to run executables on Windows via a link. Builds should officially be available shortly, and there will also be an XPI offered to disable the pref. Alternatively, you can set the pref network.protocol-handler.external.shell in about:config to false to remove the exploit."
Patched versions of Mozilla 1.7.1 and Firefox 0.9.2 have been released now, also there's the option of downloading a XPI patch to that disables the shell: protocol handler.