Apple has patched the Safari “carpet bombing” vulnerability that led to a Safari-to-Internet Explorer remote code execution combo threat. The threat will be fixed in the next release of Safari.

Apple has insisted for weeks that the issue is more of an annoyance than a security risk. Apple released Safari v3.1.2 yesterday for Windows with a patch warning that saving untrusted files to the Windows desktop may lead to the “execution of arbitrary code.”

Safari v3.1.2 for Windows, available for Windows XP and Vista, also fixes at least three additional vulnerabilities that could lead to information disclosure and code execution attacks.

Visiting a malicious website which is in a trusted Internet Explorer zone may lead to the automatic execution of arbitrary code.

According to Apple’s security team, the user would have to be complicit in an attack that causes a sufficiently high number of files to be downloaded. It’s more annoying than risky and to stop it just close your browser.

A source advises that Apple will fix the issue in Safari 3.2, which is slated for release in the summer (September) this year.