..configured to obtain the user?s permission before it downloads a resource. Safari downloads the resource without the user?s consent and places it in a default location (unless it is changed).
Apple Safari does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, aka a "Carpet Bomb," a different issue than CVE-2008-1032. NOTE: Apple reportedly has stated that "we are not treating this as a security issue." NOTE: Microsoft describes the issue on the Windows platform as "a blended threat that allows remote code execution."
I am NOT aware of any ANY other browser.....
Given that recent Safari debacle (sorry if I press the fast forward button here) it dawned on me that ANY browser that defaults to downloading files to the desktop could trick users into this again.
I have a guinea pig to do that to but for those among us that dig into these things I ask. Do you see that?