Index: wp-admin/admin-functions.php
===================================================================
--- wp-admin/admin-functions.php	(revision 3856)
+++ wp-admin/admin-functions.php	(working copy)
@@ -1887,7 +1887,7 @@
 
 	// Set correct file permissions
 	$stat = stat(dirname($new_file));
-	$perms = $stat['mode'] & 0000666;
+	$perms = $stat['mode'] & 0664; // never executable, never world-writable
 	@ chmod($new_file, $perms);
 
 	// Compute the URL