Summary: your most visited sites are displayed by Safari to chose from - these can be manipulated by an attacker using javascript - replaced sites can be used to phish your account details (eg bank details) and the URL can be hidden due to another Safari bug.<p>Result: all your $$$ are belong to teh crakzorz if you use Saf4's "top sites" feature (I'd be wary of the equivalents in other browsers too).