In theory, a user must click a link to visit a malicious website that can begin downloading arbitrary files (including applications) to the user's computer without their permission. The problem affects both the Windows and Mac versions of Safari.
Researcher Nitesh Dhanjani reported the flaw to Apple, which promised to patch it in a future release of Safari. ZDNet and StopBadware.org contend, however, that a patch should be released immediately.
It's old advice, but it bears repeating: be careful of the links you click, and know where they go before you click them.