I've discovered that K-meleon 0.9b installation, based od Wechselbalg compilation is not vulnerable. Look
http://www.shmoo.com/idn/
On Firefox - address bar says
http://www.paypal.com and security check displays correct certificate, but Firefox displays wrong website.
Firefox 1.0 and also Mozilla _IS_ vulnerable, K-meleon is NOT, because it shows
https://www.pĐ°ypal.com/ on address bar
and displays icon that suggests nonsecure connection.
Here is more information on this bug:
http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for-shmoo-group-exploit.html
Yours
Marcin