After the new tab opens, wait 3 seconds and see how the content of the web-page changes but the address-bar stays the same. Jun (the finder) is being nice here because a real attacker can be inside an iframe in a legit website (for example, an ad banner in Facebook) and take control of the full page without the user realizing. In other words, change the full content of the main window but keeping the address bar intact.
This bug was found and reported by Jun, immediately rejected by MSRC, and after a lot of Twitter noise, MSRC privately admitted it as a bug. But here we can see how these people generally behave. They do not take the time to properly analyze what they receive, they overlook and reject real vulnerabilities.
Anyway, here's a faster version of the PoC. Ideal for impatient users who want to be spoofed quickly =)
Below is the response of the Microsoft Security Response Center. Later, after all the Twitter noise, they told the finder the bug was in fact, valid. A typical attitude of this department. Something that happened to many researchers including myself: bug sent, rejected, posted in twitter and later, "please remove it". Don't you think it's fair to request that the people watching our backs on Microsoft programs should be a bit more passionate and check a couple of minutes before rejecting?
