Microsoft has released a security advisory warning of the effect we have previously reported as “Safari Carpet Bombing.” This is what most people would call a vulnerability in Safari on both Windows and OS X in that Safari does not warn users before downloading files. The default download location on Windows for Safari is the Desktop, so a malicious page could fill the desktop with files, potentially malicious files, and in scenarios which could use social engineering to trick the user into opening at least one of them.
No program is perfect, but Apple’s response to the vulnerability was disturbing. They don’t consider it a security vulnerability, and are treating user confirmation as just another feature request. Apple has taken a lot of heat over this, including from StopBadWare.org.