updated 03:20 pm EDT, Thu July 22, 2010
Exploit unaddressed for a year
The exploit has been tested with concept code, and can reportedly steal data in seconds. Some awareness of the threat is said to have existed for a year, but Grossman notes that he provided details to Apple in June of this year, and received only a single auto-response in reply. A second message sent to Apple produced no answer.
The vulnerability is not unique to Safari, but Safari 5 was released just last month with the problem intact. The other exposed browsers are Internet Explorer 6 and 7; 8 is said to be protected. To safeguard affected software, the only known solution so far is to disable AutoFill or its equivalent.