The phishing hole in Internet Explorer 7 that I've disclosed 3 months ago was fixed by Microsoft's June security update.
The following was the vulnerable code in ieframe.dll resource file:
The clickRefresh() function then validates that the address after the # sign is considered safe for navigation, before it replaces the location with this address.
Although this change closes the XSS vulnerability, I still don't understand why Microsoft consider local file access URLs (file://) as safe for navigation.. I hope this doesn't open another hole.
In other news, a new phishing hole in Safari for Windows was disclosed by Robert Swiecki in a Full Disclosure post. He also included a proof of concept which works on the new patched version (v3.0.1) of Safari.
My suggestion remains to wait for the final release before you consider using this "secured from day one" browser.