… a serious vulnerability has been found in Apple Safari on OS X. “In its default configuration shell commands are execute[d] simply by visting a web site – no user interaction required.” This could be really bad. Attackers can run shell scripts on your computer remotely just by visiting a malicious website.
Full text of the article: http://www.heise.de/english/newsticker/news/69862
Proof of concept from the original discoverer (Michael Lehn): http://www.mathematik.uni-ulm.de/~lehn/mac.html
The problem is due to a feature that is activated by default: Open Safe Files after downloading. A zip file is considered safe and so they will be opened automatically. Subsequently, a shell script with no #! at the beginning of the script will be executed automatically. No user interaction!
[[T_F]]Digital Content Theft Prevention and Tracing, Downloads and Online Property Protectiontracefusion_signature=3c6dfd13f0f56fff477d8ed7836d607927a25a6df746884f96a56d33a320cb3ac405924991c1591b16d5838b016d46a581be9511477908fda3442026d72b0a981e7accfe111a854a9d3c0d8da2388c6fe6472ed58ee3ec44d6a709992c47b94fdaca8180f6e1e523c5b5176a3a9a8ef7e59d65f4b435714fe665b756b9b57c4fa06e626a60934fc9f5b559b4cedf2095609574fa1a43aab2f77f74d47019b7937340937046403b16cf3ebc9ae80f014ebfef6e083f92704e3d49b687ce5f6940e3ef8de97b26b50164585f8c77f257f3dcbf9e6830148c88c9a3a2b9ce9b3b64ec9dbb9d7924adb7bb6adb32fd282957e6f4f1164cd7052864772a4d7c8be3d06a6d75e7a1746971c75b4838a6aac2adb80340c536f0b5beb417176babaf1dc76c9293461091c83057d31029234d941265d258315516885d371aa6c2a3bb9279d9d370eb833ea8caae894b7984d1f4af58fa959e99c6ffa0e97e66f2399c87107fa49a75dae56b6e383f48fb2453e4ef664cb7c05bfdf98bcdc151eb662b6cc548ac8834363d23273d4b30cfd7df24053878efa8bb5e71f368464ee0c3fa280c5d41efb7d558a075ab8392df8ccde36c60f1f260da053e922ad0610db3f5e133eb47e133ea85[[T_F]]
