"carpet bomb"?!? Can we get more sensational than that? Great way to grab some headlines. Next time, try "nuclear holocaust".

I wonder how long after he submitted the report to Apple before he went for the headlines. Did he give them time to investigate and work up a solution (assuming it was merited)?

Well you could have just read the response from Apple to get an idea of what they thought.

"We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue..."

Apparently he waited long enough for them to reply.

He was apparently nice enough to notify them instead of just releasing malicious code based on the 'supposed' exploit.

Apparently apple doesn't see downloading automatically a large amount of files a problem. Hmmm.

This is just a DOS attack. Downloading a file is not an exploit: at most downloading a lot of files can lead to your link being saturated and eventually your disk filling up, but you will notice it and you can unilaterally stop it at any time. There are far worse attacks you can pull on a browser... simply opening a bunch of frames and rendering a big HTML file in each will bog a browser down worse than this "attack".

Oh, should I have notified Microsoft and Firefox and Apple before saying that?

,,,is that yes, safari does automatically download the files, but it's microsoft's OS that automatically RUNS the dll files. sems safari's problem may be somewhat minor in comparison