Firefox 1.0.1 Security Update Released — The Mozilla Organization last week released Firefox 1.0.1 for all platforms, which fixes a number of small security holes or potential problems, notably the homograph spoofing problem we’ve talked about recently in TidBITS (see "Don’t Trust Your Eyes or URLs" in TidBITS-766). The updated version includes a new preference, network.IDN_show_punycode, which is set to true. (To access this preference, enter "about:config" in the Location field and press Return; it’s probably easiest to then type "IDN" in the Filter field to display the preference.)
Instead of seeing the actual display of international characters in domain names, you’ll see the punycode or Unicode-to-Roman mapping when you visit a site that is attempting to pass itself off as another site using this technique. The Shmoo Group, which exposed this visual vulnerability, have a demonstration on their site. The second o in shmoo in the links at the top of that page is a homograph, or a letter that looks like another letter. Before Firefox 1.0.1, the links and the destination of the fake domains at the top of that page would read "http://www.theshmoogroup.com/". Now they appear as "http://www.xn--theshmogroup-bgk.com/".
The English version of Firefox 1.0.1 for Mac OS X is an 8.7 MB download; note that not all language versions have been updated yet.