Wow that was fast!
It looks like Safari for Windows was released a little early. Whatever about the small functionality bug I found, the ability to run code remotely on your Windows machine is a critical vulnerability. Don’t use Safari on a Windows machine until these exploits have been fixed.
Hard to know where the blame lies for this – Thor Larholm blames Apple’s ignorance of Windows:
On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur.
While some commenters on his site blame Microsoft:
I donâ€™t know, the way you described it seems more like a hole in the way Windows handles things than a Safari hole. Does a Windows API call launch a shell process, or does Safari manually go and run a command line program? If itâ€™s the Windows API for URL handling, then itâ€™s clearly broken. Every program that needs to grab a URL should not be responsible for patching holes in Windows.