The Safari "carpet bombing" attack was first described bylast month, but dismissed by Apple as a serious threat. Under Dhanjani's scenario, a user would surf using Apple Safari for Windows to a maliciously crafted Web site such as http://malicious.example.com/. Dhanjani says Safari does not know how to render content-type of blah/blah, so it starts downloading carpet_bomb.cgi, executing the downloaded files with the same rights as the logged-on user. The end result is the victim's desktop is populated with a variety of malicious files.
Microsoft says it is the combination of the default download file location in Safari and how the Windows desktop handles the files that creates the blended threat on all supported versions of Windows XP and Windows Vista when Apple's Safari for Windows has been installed
Microsoft notes that users who change the default Safari download location are not affected. To change the download location in Safari, under Edit select Preferences. Where it says "Save Downloaded Files to" change the location.
Microsoft may follow the advisory with a security update if needed.