After more than two years, Apple’s Safari browser for Macs remains vulnerable
to attacks that allow websites to litter a user’s hard drive with thousands of
The "carpet bomb" vulnerability was publicly disclosed in May 2008 after
members of Apple’s security team said they didn’t consider the quirk a security
issue. After Microsoft took the unusual step of advising its customers to stop
using Safari, Apple issued a patch Windows versions but not for OS X.
"This means that if you use the Safari browser on OSX, a malicious entity can
drop any amount of binaries or data files into your ~/Downloads/ folder," Nitesh
Dhanjani, the researcher who credited with discovering the vulnerability, wrote
over the weekend.