Well, there WAS a hole, it's already patched. Took 48 hours, evidently. It only affected Windows XP, and maybe 2000.
If you have 0.9 or 0.9.1, you can download this patch:
ShellBlock.
If you don't trust the patch, you can set the pref network.protocol-handler.external.shell in about
:config to false to remove the exploit.
Or you can download the
Windows 0.9.2 version and install (identical to 0.9.1 except for the security patch).
Full details here:
What Mozilla users should know about the shell: protocol security issue
Also, if you like Firefox,
the developers are asking people to submit reviews to download.com. Please consider this.