Still remember the carpet bombing attack on Safari? Well, it is still not fix on OSX simply because Apple did not find a way to exploit it. Bottom line, the file is saved automatically on OSX in the download directory, but it is still not yet possible to exploit it (yet).
Guess this will be a ticking timebomb. As soon as a remote binary execution exploit is found for OSX. That will either be the day some guy get famous because of this combine attack or the day that many Mac get compromised.
Well, remember that you heard this first from me. And do not come banging my wall when it happen. It ISNT me!