http://www.eweek.com/article2/0%2C1759%2C1621438%2C00.asp
Current versions of Mozilla and Firefox pass unknown protocol handlers to the operating system shell to handle. In this case, the location passed to the shell is a program name that the shell executes.
In short, Mozilla hands off the unknown command to the OS to take care of. This causes the OS to run the program, with no warning.
http://www.mozillazine.org/talkback.html?article=4960 has information about new releases of Firefox, Thunderbird, and Mozilla that fix this problem by disabling calls to the shell: scheme. If you don’t want to upgrade, you can manually turn off scheme: calls.
- Type about:config in the URL bar.
- Right-click and select New -> Boolean.
- Enter the preference name network.protocol-handler.external.shell in the box.
- If it already exists, the Value box will have the current value. Type false to add/edit the value.
If you’re not comfortable doing that manually, the MozillaZine link above has an XPI installer to change the default preference for you. Once you’ve installed the XPI, you can use about:config and filter for network.protocol-handler.external.shell to make sure the value is properly set to false.