WebKit in Apple Safari before 5.0 or Apple iTunes before 9.2 on Windows, does not properly handle changes to keyboard focus that occur during processing of key press events, which allows remote attackers to force arbitrary key presses via a crafted HTML document.