The IDN fix is very welcome and in itself timely, but in general the Mac version of Firefox has been left behind when it comes to security updates. Whatever benefit there is to open source source software from a security standpoint has been lost on the Mac version. This update addresses the IDN flaw and some unspecified other flaws, but there have been known flaws with Firefox 1.0 for a long time that were addressed in Linux in short time, but not at all on the Mac, until today, finally. I'm not sure about the security flaw response time with the Windows version, but for the Mac it has been very poor indeed and I don't recommend Firefox to Mac users as a result. It may be great on other platforms, but Mac Firefox users have been treated as second class citizens by the developers.

Peter, can you follow up to see if these same fixes will be put on "official" releases of Mozilla and Camino shortly? Thanks.

It's not only Explorer and Firefox that can handle these kind of spoofs. I just ran the Secunia spoofing test (http://secunia.com/multiple_browsers_idn_spoofing_test/) using the nice little Japanese Safari variant Shiira, and it spotted the spoof the same way as Firefox, i.e. instead of displaying "http://www.paypal.com/" in the address bar, it shows "http://www.xn--paypl-7ve.com/". And this version of Shiira (0.9.3) has been around since early December! I think we'll see a Safari fix shortly, as this must be a very simple thing to fix. In the meantime I urge people to try Shiira (http://hmdt-web.net/shiira/index-e.htm), which is a much nicer alternative to Safari than Firefox - and uses Safari's bookmarks!