ZDNet (http://news.zdnet.com/2100-1009_22-5435331.html?tag=zdfd.newsfeed)
-{ Quote: "The software giant did accept the possibility that spoofing could occur on version 6 of IE but rejected claims that this is a security flaw. Spoofing is a way of making people think they are visiting their chosen Web site when they are in fact looking at a "spoofed" site. Spoofing techniques are frequently used in phishing scams --e-mails that attempt to steal personal information by purporting to be from legitimate groups." }-

They are right of course. The software is okay. Using ActiveX is okay (it's designed to enhance functionality). BHO's are okay, they are there to add functions. Active Scripting is okay too and signing code does enhance the security feeling, really it does. Embedding Internet Explorer in Windows is a great idea, it makes a comfortable working environment. And since the system is fully trusted, the default use of an admin account simplifies the computer use and adds to the comfort of end users.

There's just one design flaw in Windows. It needs a user to perform all kinds of tasks. And users are full of bugs.

Microsoft can deny anything till doomsday but Microsoft Internet Explorer contains a security-setting feature that can be modified according to a user's preferences. These settings control what actions a web site can take on a user's system.
A vulnerability exists in Internet Explorer, which could allow a web site to be viewed in the Local Intranet Zone, rather than the Internet Zone. Thus, allowing content to be viewed with less-restrictive security settings.
Converting the IP address of the target web site into a dotless IP address, and submitting it, will cause Internet Explorer to view the web site in the Local Intranet zone.

Its even worse for IE6 WIN98 users where IE's default security settings allow a malicious webpage to open a new browser, open another site's main frame in that new browser and then set any subframes to a URL of their choosing. This could lead to misappropriation of private information, among other problems.

Example:

<SCRIPT>
b=window.open("http://www.citybank.com");
function g()
{
b.frames[2].location="http://www.yahoo.com";
}
setTimeout("g()",6000);
</SCRIPT>
The demonstration is available at:
http://www.nat.bg/~joro/msfrspoof.html

To work around this exploit: Disable "Navigate sub-frames across different domains" option (Under 'Miscellaneous' in setting list for 'Custom Level' creation.)

Linux is looking better these days. :)

Actually, Linux is not too far behind interms of vulnerabilities. However, due to the lesser number of users, they are not as publicized. If Linux becomes the big guy on the block, expect even more vulnerabilities...