Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue. The vulnerability was determined to be critical and could result in remote code execution by an attacker. The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix. Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue. As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience. Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/
Update: To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. People testing “3.7” development builds should upgrade to 3.7 alpha 3 or the latest nightly build to ensure they have this fix.