Microsoft issued an advisory late Friday warning users of Apple's Safari browser that it is vulnerable to a blended threat that allows remote code execution.
The vulnerability can be exploited on all supported versions of Windows XP and Windows Vista, Microsoft said in its advisory.
The problem is a bug in the default download location in Safari and in the way Windows handles executable files. An attacker could exploit the vulnerability by tricking users into visiting a website to download malicious content to the user's machine.
"We've activated our Software Security Incident Response Process (SSIRP) and are working with our colleagues at Apple to investigate the issue," Microsoft's Tim Rains, a product manager in the Microsoft Malware Protection Center said in the Microsoft Security Response blog.
Apple released Safari for Windows last year. In March, it made the browser available to Windows users of iTunes by default during a software update.
Rains said Microsoft is not aware of any attacks in the wild. As a workaround, Microsoft is advising Safari users to change the default location where Safari downloads content to the local drive.
The issue could stem from a warning from security researcher Nitesh Dhanjani earlier this month, who discovered a way for a malicious website to litter a Safari user's desktop or downloads directory with files. Dhanjani described the problem calling it a Safari carpet bomb, on his blog. Dhanjani discovered three issues with Safari and said he has been working with Apple to resolve them.