Looks like there’s a big security hole in Safari (as well as Firefox) that takes advantage of the “open safe files” feature. From 4null4.de:

If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore - it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file - zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP - it’ll take it as totally normal to execute the “jpg file” with the shell.

Two easy things to avoid this problem is to move Terminal to a different location as the exploit hard codes the command line tool’s path. Also disable the safe download feature in Safari. Always be questioned and you’ll be a bit safer. And remember, never work as a root user…that’s how so many people get in trouble on Windows boxes.

Tags: firefox, safari, security hole, shebang-row, shell script, execute