Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible characters when they are displayed in the location bar, which causes an incorrect address to be displayed and makes it easier for remote attackers to spoof URLs and conduct phishing attacks.
lists.opensuse.org/opensuse-security-announce/2009-03/msg00002.html
secunia.com/advisories/34140
secunia.com/advisories/34145
secunia.com/advisories/34272
securitytracker.com/alerts/2009/Mar/1021799.html
support.avaya.com/elmodocs2/security/ASA-2009-069.htm
support.avaya.com/japple/css/japple?temp.documentID=366362&temp.productID=154235&temp.releaseID=361845&temp.bucketID=126655&PAGE=Document
www.mandriva.com/security/advisories?name=MDVSA-2009:075
www.mozilla.org/security/announce/2009/mfsa2009-11.html
www.redhat.com/support/errata/RHSA-2009-0315.html
www.securityfocus.com/bid/33990
www.vupen.com/english/advisories/2009/0632
bugzilla.mozilla.org/show_bug.cgi?id=452979
exchange.xforce.ibmcloud.com/vulnerabilities/49087
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11222
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6039
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6157
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6229
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7435