This could be really bad! Be sure to disable “Open ‘safe’ files after downloading” in Safari’s preferences to circumvent this security hole.

Read more from Jürgen Schmidt, editor-in-chief at heise.de.

Proof of concept provided by Heise Security.