Oh dear - why do large companies, such as Microsoft, have to wait for the exploit to be demonstrated before doing something about poor code. Things like this are serious and undermine everything about about HTTPS/SSL. Poor effort from the certificate supplier too for allowing the null character.
[A] hacker on Monday published a counterfeit secure sockets layer certificate that exploits a gaping hole in a Microsoft library used by all three [MSIE, Safari, Chrome] of those browsers. Although the certificate is fraudulent, it appears to all three to be a completely legitimate credential vouching for the online payment service. The bug was disclosed more than nine weeks ago, but Microsoft has yet to fix it.
