Although the battle for the most powerful Internet browser is more interesting, it seems like the two actors, Internet Explorer and Firefox, are now challenging one another for the most vulnerable browser award. This time, it's Mozilla's product's turn because a new critical vulnerability was discovered in the Network Security Services (NSS) code designed to process the SSLv2 protocol. The security flaw affects even more tools developed by Mozilla including Thunderbird and SeaMonkey. Although the vulnerability is fixed by default in Firefox 2.0.0.2, Firefox 1.5.0.10, SeaMonkey 1.0.8 and NSS 3.11.5, there are also some older applications able to allow the exploitation of the flaw.

"SSL clients such as Firefox and Thunderbird can suffer a buffer overflow if a malicious server presents a certificate with a public key that is too small to encrypt the entire "Master Secret". Exploiting this overflow appears to be unreliable but possible if the SSLv2 protocol is enabled.
Servers that use NSS for the SSLv2 protocol can be exploited by a client that presents a "Client Master Key" with invalid length values in any of several fields that are used without adequate error checking. This can lead to a buffer overflow that presumably could be exploitable," Mozilla sustained in a security advisory.

As the developer mentioned, Firefox 2 is not affected by the flaw because the feature is disabled by default so, you're vulnerable only if you have modified the configuration of the program. In Firefox 1.5, you should disable the function by clicking on Options/Preferences/Advanced and uncheck the Use SSL 2.0 option available under the Security tab. In Thunderbird 1.5, the workaround is a little more difficult because you must go to Options/Preferences/Advanced, click on the Config Editor button and type ssl2. Then you should select the security.enable_ssl2, open it and choose false in the opened dialog. Close the application and open it again.