The flaw lies in the way the browsers handle International Domain Names, which are web addresses that use international characters [/B]
Is anyone else wondering how this flaw with different charactars being allowed, lets people run arbitrary code? So far I havent found anything technical, only news articals like this one.