Heise.de has reported what can be definitely called a critical security flaw.
The default setting for Safari is to open "safe" files at the end of download, unzipping them if needed. And here is the trick: if some nasty coder zips a malicious shell script, it will be ran without request for confirmation. Under normal circumstances, shell scripts begin with a "shebang line" such as "#!/bin/bash" to indicate which interpreter should handle its execution. However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell even if the file's extension is something unrelated like ".jpg". Of course, there's some social engineering involved given that the file has to be downloaded firsthand.
To prevent this from happening, uncheck "open 'safe' files after downloading" and move Terminal out of the Applications folder to keep it from running automatically.
As a demonstration of this flaw, Heise prepared the following download. Impressive but harmless, it opens a shell window and displays the content of a folder:
http://www.heise.de/security/dienste/browsercheck/demos/safari/Heise.jpg.zip
This flaw is actuallly much more worrying than the so-called "virus" everybody talks about now.
Select all / none
Apple
CD Drives
G5
Hard Drive
Internet
iPad
iPhone
iPod
Laptop
MacBidouille
Mac Intel
Mac OS X
Network
Overclock
PC
Peripheral
Software
Sound
SSD
Video
