WTF Does that mean? Well, it's kinda tricky to explain, but it's pretty frightening. Basically, as server and application security has improved over the past few years, the bad guys have begun changing their means of attack. Now that the apps and servers are more protected, they move to the weakest link; the desktop and the browser. Instead of exploiting your trust in a bank's website, it exploits the bank website's trust in your browser.
Imagine you're logged into your banking site, and surfing Facebook or your favorite blog. A bad guy can post a malicious link (even embed it in an image so you never even see it) that counts on the fact that your banking site has already authenticated you. That malicious link or image sends a request to your banking site on your behalf that transfers some ungodly amount of money to some guy in Nigeria. You don't even see it happen. Your bank isn't alerted because you were logged in sucessfully, and you've just lost your money. While the stars may have to align for a bud guy to be able to exploit this, it is still listed in OWASP's Top Ten Vulnerabilities.
Is there a fix? Kinda. The easy fix is just to make sure that you don't surf to pages that you don't fully trust while logged into a sensitive site. If you're paranoid like me, you can use completely separate browsers for "surfing" and banking.
