Safari security issues giving you the blues? Nitesh Dhanjani and StopBadware.org are livid blue, calling the Safari ‘carpet bomb’ flaw a serious security risk.

Dhanjani originally discovered than (sic) it is possible for a booby-trapped Web site to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX) with executables masquerading as legitimate icons.

If it’s not natural disasters or global warming or the economy, now Mac users have to watch out for drive-by malware on malicious web sites. Surely you know which ones are malicious, right? Dhanjani:

This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

One report says Apple plans a fix in Safari 3.2, possibly due in September. If so, how bad can the ‘carpet bomb’ be?