An unusual browser attack has been found in which Microsoft's Internet Explorer can be used to activate Mozilla's Firefox and run malicious code.

The zero-day flaw uses a protocol handler that Firefox puts on the computer when it installs to handle 'firefoxurl://' commands.

If Internet Explorer is used on a page that tries to use the 'firefoxurl://' the browser will activate Firefox automatically and allow malicious code to be run in JavaScript.

The flaw was found by security researcher Thor Larholm and published on his blog. No patch currently exists to deal with the problem. 

"While Mozilla is currently working on a fix, organisations need to take a proactive approach to mitigate risk to the network by alerting users to be careful when browsing the web and only visit trusted sites," said Paul Zimski, senior director of market strategy at Patchlink.

"Companies should be handling active scripting inside the Java browser to limit users visiting infected sites.

"While there are three critical patches that IT administrators have to deal with today, companies should prioritise and deploy the fix immediately for this exploit when it is released."

There is some confusion over which company should be providing a patch for this flaw. Secunia lists it as a Firefox flaw while SecurityFocus sees it as an Internet Explorer problem.