Ouch…for once IE is not subject to this problem.
The exploit allows certain characters in internationalized domain names (IDN) to be hidden in firefox’s (and others) address bar, opening the door to easy phishing (relatively – one still needs to register a domain name to go phishing).
The example (no risk as far as I can see, but you’re on your own if your try) at shmoo.com makes you see http://www.paypal.com in the address bar while the page comes from http://www.pаypal.com. Scary.
There’s more info at Boing Boing, including an easy workaround: disable IDN handling.
Looks like I was right being skeptic about this “feature” of domain names. More confusion ahead.
Update: looks like firefox has been patched within 12 hours. Fixing IDNs will need more time I guess ;-)