The Mozilla Foundation Thursday issued a patch for a new vulnerability in the Windows version of its browser and e-mail client family, and urged all users to download the fix or update to the newest versions.

The vulnerability was first disclosed Wednesday on the public security mailing list Full Disclosure.

The patch disables the use of the shell: external protocol handler, which allows users to run other programs by clicking links. Hackers could use this to exploit vulnerabilities in a browser helper application -- by passing parameters to create a buffer overflow -- to gain control of the target PC.

Mozilla posted a small fix on its Web site for its Mozilla suite (versions 1.7.0 and earlier), Firefox stand-alone browser (0.9.1 and earlier), and Thunderbird e-mail client (0.7.1 and earlier).

New versions of the browsers and e-mail client that incorporate the configuration change also are available for download from the site.

Only the Windows versions are affected, said the Foundation in a statement on its Web site; the Macintosh and Linux editions are safe as is.

Future versions of Firefox, added the Foundation, will include an automatic update notification feature that will alert users to security vulnerabilities and fixes.

Mozilla, which has been recommended by analysts and security experts -- including the U.S. Computer Emergency Response Team (US-CERT) -- as an alternative to the vulnerability-plagued Internet Explorer, now joins Microsoft in issuing configuration change patches. Microsoft issued a similar change, although for a different vulnerability, last Friday.

The same day, a Dutch security expert published sample code that showed how Internet Explorer is susceptible to the same vulnerability that Mozilla just patched. A configuration change or other fix for IE, however, is not yet available, although Microsoft has confirmed the vulnerability. It is investigating the problem and is planning on releasing a series of updates to its browser in the coming weeks, Microsoft said.