An anti-malware organization has called on Apple to beef up its Safari Web browser to protect users from exploits that could let attackers download malicious code to a Mac or Windows user’s desktop.

A large security hole in the Windows version of Safari has security researcher Nitesh Dhanjani believing that malicious users could exploit the browser with what he calls a “Safari Carpet Bomb”.

“This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed),” Dhanjani said, warning that it could be used as a drive-by malware distribution mechanism.

Although Dhanjani praised Apple’s security team for its rapid response to his queries, he also noted that the Cupertino, Calif.-based computer and consumer electronics maker passed on updating Safari to lock out such attacks.