Apple Safari before 6.0.1 does not properly handle the Quarantine attribute of HTML documents, which allows user-assisted remote attackers to read arbitrary files by leveraging the presence of a downloaded document.