Safari will automatically execute some Unix shell scripts if the “Open ‘safe’ files after downloading” preference is checked. That’s the kind of mistake Microsoft would have done five years ago, and goes to show that, even within Apple, there are people seriously overestimating the platform’s immunity to malware. That’s frightening.

And, actually, heise online’s downloadable example [via] is much more far-reaching: it’s a zip file with a .jpg inside, which Finder displays with the same icon it uses for jpegs on my system (Xee’s icon, not the regular Preview icon), yet if you double-click it a Terminal window will open and execute the script’s contents (in this case, a simple ls). I don’t know about you, and maybe I just missed a security advisory when I switched, but I thought that, if you’d configured OS X to always display file extensions, you could safely double-click any document file as long as it had the extension it should have. Was I actually spoiled by Windows?!

Mind-blowing quote:

When the University of California at Irvine campus was first built, they just put the buildings in. They did not put in any sidewalks; they just planted grass. The next year, they came back and built the sidewalks where the trails were in the grass. That’s what haxies are to the Mac software market. Haxies are those paths in the grass.