Firefox’s password manager (version 2.0) as of Novermber 2006 has a software flaw that allows a user’s credentials (from the site being currently visited) to be posted to any URL if the user clicks a maliciously crafted link.
And IE( 6 or 7) has this issue:
Internet Explorer is usually a prime target for malware infection. …… these vulnerabilities converge at a dangerous point where malware programs are specifically targeting AutoComplete information. These programs gain confidential information, and then send it back to the attacker.
So what we do to reduce the risks? Fortunately the article provides some defensive strategies. They suggest avoiding password managers altogher, using a strong ( not easy guessed ) password to protect the password manager, using an alternative password manager that support encryption, strong and unique passwords for every site, and even some programming tips for web developers.
On my Mac I use 1Password. IPassword uses a master password, encrypts stored passwords and form data, and can generate unique random passwords for any site. You can Download 1Password here and give it a test drive.