”I can inject a script that will display anything I want in the page when the user clicks the 'refresh' link," he said via instant message. "Combining this with the design flaw, an attacker can render in the browser whatever he wants with whatever URL he wants in the address bar."”
While no attacks have yet been reported using this flaw, it affects both Vista and Windows XP. Given that IE7 is now a critical update pushed via automatic updates, hopefully MS will be on the ball and repair the flaw soon. It's unlikely they will let it sit for long, with Firefox continuing to creep on their territory and already having skipped a patch cycle.