Microsoft has issued a formal security advisory with a confirmation of public warnings that the Safari "carpet bombing" vulnerability presents a remote code execution threat on all supported editions of Windows XP and Windows Vista.
The pre-patch advisory from Redmond follows public pressure from the Google-backed StopBadware.org for Apple to rethink its stance that the Safari issue should be considered a serious security vulnerability.
From the Microsoft advisory:
A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed.
...An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user.
According to the advisory, the Windows portion of the blended threat is linked to Internet Explorer (IE 6 and IE 7 on Windows XP and Windows Vista, all service packs included). Technical details on the combo-threat are being kept under wraps but it is clear that Microsoft has
actual proof of an IE vulnerability can be used in tandem with Nitesh Dhanjani's Safari bug to launch a malicious executable if a user surfs to a rigged site with Safari.
Officials in the MSRC (Microsoft Security Response Center) held discussions with Apple before releasing the advisory.
As a temporary mitigation, Microsoft recommends that Windows uses restrict the use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.
Alternatively, if you must use Safari, you should change the download location of content in Safari to a location other than 'Desktop'. This can be done by launching Safari and using the Edit > Preferences and selecting a different location on the local drive for Save Downloaded Files to: option.
My previous advice stands. Uninstall Safari and use an alternative browser on Windows.