According to Danish security vendor Secunia, which tagged the bugs with a highest "extremely critical" warning -- the first time it's used that to describe a Firefox flaw -- a hacker can trick the browser into thinking a download is coming from one of the by-default sites permitted to install software automatically: addons.mozilla.org or update.mozilla.org.Firefox 1.0.4 will be released as soon as possible to fix these bugs but Mozilla also states that currently there are no known active exploits of the vulnerabilities. More details at TechWeb
Extremely critical flaws found in Firefox 1.0.3

A pair of extremely critical bugs, that could allow a malicious user to take over one's PC, were found in Mozilla's Firefox web browser earlier this month. The proof-of-concept code was leaked on Sunday and Mozilla recommends its users to disable JavaScript or to lock down the browser so it can't install additional software, such as extensions or themes from websites.