Nasty new IE vulnerability.

Most people reading are probably aware of the common trick whereby spammers and other assorted ne'er-do-wells publish URLs with usernames that look like hostnames to fool people in to trusting a malicious site – for example, http://www.microsoft.com&session%[email protected]. This trick is frequently used by spammers to steal people's PayPal accounts, by tricking them in to “resetting” their password at a site owned by the spammer but disguised as PayPal.com.

Today's new Internet Explorer vulnerability makes the problem a hundred times worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don't expect a patch for a while either; the guy who discovered the bug released it to BugTraq on the same day he notified the vendor.

[Simon Willison's Weblog]

This is a real nasty problem. I went to the site, tried the demo, and looked at the source. It's the real thing. The location bar tells you that you are at www.microsoft.com and you know you are on a locally hosted page.