It's gone, the myth of invulnerability of Mozilla users: one wrong click may be enough to infect your system with spyware -- even if you are using Mozilla or Firefox. The reasons are quite similar to well known security holes in Internet Explorer.
In the last few years, Microsoft's Internet Explorer has mainly drawn attention for its security problems. Again and again security holes were published that allowed spyware and trojans to be installed on user systems without the user doing anything more than opening an infested Web site; other times, some minimal action was required such as clicking or performing drag&drop on the page. Those holes were and are still actively exploited to download Spyware and Trojans onto the systems of unwary users.
The unholy trinity of ActiveX, Active Scripting and the local zone was responsible for a lot of these problems. Special Active X components provide methods for writing and activating files from within IE. With Active Scripting, those actions can be remotely activated. And for all this to work, the code has to be executed in the security zone of the local system. What is less commonly known: Mozilla & Co. offer quite similar concepts. And they are responsible for some of the serious security holes published during the last few months that damaged the reputation of Mozilla as a safe alternative to IE.
Inside the Danger Zone
Usually, only pages originating from the system they are opened on -- such as with a file:-URI -- have these privileges in IE. Writing an IE exploit, for example to install spyware from an external web site, therefore means that hackers have to find a way to get those rights of the local zone. But before XP Service Pack 2, many roads led to Rome.