A new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances.
Once again the Safari option “open ’safe’ files automatically after download” bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore - it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file - zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP - it’ll take it as totally normal to execute the “jpg file” with the shell.
Continue at Source ...