Zalewski classified the bug as "critical." Microsoft said it is aware of the report and is investigating.
The bug has been submitted to Mozilla as bug 382686, and is similar to Mozilla bug 381300 but is more serious, the researcher said.
He said the bug was "major," but Mozilla's security chief, Windows Snyder, said the bug was not highly serious, giving it a security rating of "low."
Zalewski also reported two less serious problems, one potentially allowing an attacker to download programs onto a user's computer, and the other allowing spoofing of URL data in IE 6.
Mozilla's Snyder noted that the second Firefox bug would require an additional vulnerability to have any effect on users.
Last week Mozilla said it had patched several serious security flaws in Firefox, bugs that also affect the SeaMonkey browser and the Thunderbird email application. The bugs could allow an attacker to take over a system, as well as less serious exploits such as spoofing or security bypass, Mozilla said.
While browser bug patches, even for critical flaws, have become somewhat routine, the latest alert highlighted the fact that Firefox no longer has as clear an advantage over Microsoft's Internet Explorer as it once did.