About a month ago, we "questioned Apple":http://blogs.stopbadware.org/articles/2008/05/19/safari-security-questio... for characterizing a Safari security vulnerability as a "feature" issue, not a security issue. This issue got "further attention":http://blogs.stopbadware.org/articles/2008/06/12/safari-vulnerability-no... when Microsoft announced that the Safari vulnerability combined with a Windows vulnerability could lead to remote code execution.
I'm glad to report that Apple has patched the hole in the Windows version of Safari, though they continue to treat the unprompted downloading of files as a non-security issue, as indicated by this write-up from their "advisory":http://lists.apple.com/archives/Security-announce/2008/Jun/msg00001.html:
bq. An issue exists in how the Windows desktop handles
executables. Saving an untrusted file to the Windows desktop may
trigger the issue, and lead to the execution of arbitrary code. Web
browsers are a means by which files may be saved to the desktop. To
help mitigate this issue, the Safari browser has been updated to
prompt the user prior to saving a download file. Also, the default
download location is changed to the user's Downloads folder on
Windows Vista, and to the user's Documents folder on Windows XP. This
issue does not exist on systems running Mac OS X.
In other words, Apple is saying that the only security issue is the Windows desktop vulnerability, so they've patched Safari to protect you from Microsoft's flaws. While the patch is an essential download for users of Safari for Windows, it is disappointing that Apple continues to shift the blame and to indicate that the Mac version of Safari does not have a security issue.
I also hope that we will see a patch from Microsoft that addresses the Windows desktop vulnerability directly.
Hat tip to Ryan Naraine at the ZDNet Zero Day Blog for "reporting on Apple's update":http://blogs.zdnet.com/security/?p=1302.