Here's how it works: if a Safari user has the "Open 'safe' files after downloading" option checked (which enables movies, images, music, text, PDF, and a few other automatic documents to be automatically opened upon completion of a download), a specially designed shell script can be executed. Normally, shell scripts will not be executed after Safari downloads them without user confirmation. However, if the script lacks a "shebang line" (e.g., #!/bin/csh) and the Finder is set to open scripts using Terminal, the Finder will pass the scripts to the Terminal application, where they will be executed.

If a script is given an extension such as "jpg" or "mov" and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application -- regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.

Part of the problem is due to the manner in which Mac OS X determines filetypes. Unlike OS 9 and earlier, which relied solely on file metadata (a four-digit creator code) to determine a file's type, Mac OS X uses both metadata and the extension to figure out how a file is handled. So although the script contains metadata in the form of a Terminal type/creator code, the .jpg or .mov extension causes Safari to treat it like a safe file.

Is this really the beginning of a wave of Mac OS X malware? Probably not. Given Apple's relatively small market share, it's not as attractive a target for malware writers as Windows is. That could change, if the installed base of computers running Mac OS X continues to grow as it has over the past year or so.

EDIT - Does this mean they have waited a full year and still havn't patched it? TSK TSK? ? ?