The problem is that Firefox registers the "firefoxurl://" URI handler and allows invoking firefox with arbitrary command line arguments. Using e.g. the "-chrome" parameter it is possible to execute arbitrary Javascript in chrome context. This can be exploited to execute arbitrary commands e.g. when a user visits a malicious web site using Microsoft Internet Explorer.
The vulnerability was found on a fully patched Windows XP SP2 system with Firefox 2.0.0.4, other versions may also be affected.
A temporary fix is to disable the "Firefox URL" URI handler but instructions on how to do this aren't provided.