Microsoft released today (23rd of December) a patch for what they call the "Frame Spoof" vulnerability. This vulnerability enables malicious webmasters to insert content into frames within another web site window, making it possible for a user to be tricked into providing personal data to a malicious web site, other than the one they think they are actually in.
This bug can cause, for example, a nefarious Web site could cause false or embarrassing information to be displayed by (seemingly) another Web site, or it could cause the other Web site to display a form which, if filled in, would send information back to the attacker.
This vulnerability can also be exploited through email. For example, a user might receive an HTML email message appearing to be from a trusted source (since standard email is easily forged) containing a message advertising a product or service. That email could then be linked to a known and trusted Web site. The right Web site could be chosen to confirm the attacker's message.
An unscrupulous individual or organization could exploit this vulnerability in many ways:
1) Fraud the public by disseminating false information via a credible source (e.g. distributing false financial/investment information via a major stock exchange's Web site).
2) Obtain confidential information from a company's customers, an organization's members, etc.
3) Gain unfair competitive advantage by misleading the public about a competitor's products or prices
4) Embarrass a company or organization by falsely attributing embarrassing statements, pornography, etc. to them
