Proof of concept code has been released that exploits a Windows vulnerability exacerbated by the combined use of the Safari browser on the Windows platform. Internet Explorer installed under Windows Vista/XP will, under certain circumstances, load specially named dynamic link library files from the desktop (if they exist) before looking for them in the standard system folder. By default, Safari downloads files to the desktop without requesting confirmation. As a result, the combination of Safari running on Windows XP/Vista could allow for easy remote execution of arbitrary code.

Fortunately, while the flaw sounds scary the number of folks at risk is relatively small. On average, the Safari browser accounts for 2% or less of all web browser use and, according to data from Net Applications, only .21% of that 2% are running the Safari browser under Windows. Still, if you're among that .21% of 2% you have plenty of cause to be concerned.

On May 30th, Microsoft released an out-of-band security advisory regarding the flaw, which they described as a "Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform". Despite releasing the advisory, Microsoft did not release a fix for the DLL handling in their June 10th 'patch Tuesday' cycle. Instead, Microsoft's suggested action is to avoid using the Safari browser. However, while Safari users can't resolve the underlying problem of IE's handling of DLLs, they can avoid the problem this handling causes simply by changing the default download directory to a folder from which IE isn't loading.

It is interesting that Microsoft released an advisory regarding the flaw as it pertains to Safari, yet failed to react or release an advisory (or a patch) when the underlying DLL handling issues were first reported in 2006. According to Microsoft's May 2008 advisory, the vulnerability exists under pretty much every combination of Windows and Internet Explorer that Microsoft currently supports.