Apple Safari automatically executes shell scripts - more precisely, a whole range of techniques come into play. The trigger, however, is the stupid habit of Safari to automatically start the appropriate viewer for certain file types - and sometimes incorrectly assign file types. In general, it is simply a bad idea when a browser tries to classify downloads as safe or unsafe and then passes them on to an external program - because this external program is usually in no way prepared to receive unsafe content. As soon as the browser misjudges, the trojan is functional.
So people: turn off the "execution of safe file types" in Safari. And Apple could take this as an opportunity to finally remove this function from Safari. The few extra clicks won't kill the user ...
Update: and here's the reason why I get a bit pissed off about such bugs - sorry, but this is Microsoft-World, not Unix-World. Please pull yourself together and don't do such nonsense
