Ok, *this* vulnerability demo is good. Unlike other IE7 vulnerabilities that have been reported that resulted in weird behaviour that made it obvious to all but the most unobservant user that something weird is going on, this one is pretty much impossible to spot.
That being said, to take advantage of the vulnerability you’re going to have to convince somebody to visit a hostile site, and then convince the visitor to manually type a URL into the addressbar instead of using a link or favorite to go to a page, limiting its effectiveness.
The worst vulnerabilities are the ones that require no user interaction, or require user action that is normal behaviour. Now, although it is ‘normal behaviour’ to type URLs into an addressbar under some circumstances, and it is normal that people are advised to do so, it must be remembered that they are advised to do so **instead of clicking hyperlinks in an email**, not when at a Web site.
The demonstration is here:
The Secunia advisory is here: