The Mozilla Foundation has urged users of its open-source Mozilla Application Suite, Firefox browser and Thunderbird email client, to download a small patch to work around a security vulnerability discovered Thursday.

The patches download a configuration change which disables the use of the :shell external protocol handler for running external programs by clicking on a hyperlink.

The security handling of this command may enable attackers to run arbitrary programs on Windows systems, although there are no problems for Mozilla users running other operating systems such as Mac OS, Linux and other Unix variants, Mozilla said.

The vulnerability affects Mozilla (version 1.7.0 and earlier), Firefox (0.9.1 and earlier), and Thunderbird (0.7.1 and earlier).

Full new versions of the free products are also available from the site, Mozilla said.