That is pretty scary. I wonder how long it take some criminal to put up site that looks like a bank, spam people into going to the spoofed site, then get thier credit card/account information. They could even spoof the IRS site and tell people they have a long lost refund... easy way to get people's SSNs.

Both the status bar on the link as well as the address line can be easily spoofed. As long as the links on the spoofed site are relative (not using the domain name) the address line shows fake address.

There have been examples of this around the web for a week now.

Microsoft doesn't want to release any updates in December
but I sure hope they change their minds soon for this critical issue.

Just imagine faking banking, PayPal or ebay logins, the damage that could do.

Faking affiliate code would concern me....

See this thread [webmasterworld.com] for an available patch.

The 3rd party patch has some serious issues and is being withdrawn [internetnews.com]. (Also see here [theregister.co.uk])

It's got a buffer overflow vunerability, memory leak problems, and a "liveupdate" backdoor that people didn't notice at first. Not a good thing and I hate how this only encourages long delays by Microsoft.