We recently came across this article published in one of the Chinese Security E-zines, called pstzine, which talks about a new zero day Cross Domain Scripting flaw in IE6. This is still unpatched in IE6 as of now but IE7 and FireFox are not vulnerable to this.
The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008 , and there were some discussions on this topic on online blogs like GNUCitizen.
We’ve notified Microsoft about this information. Until a patch is available, we advise IE6 users to disable scripting in the browser or upgrade to IE7 to avoid potential exploitation due to the public disclosure of this vulnerability.