The Issues:

Apple has issued a series of Security Update 2006-001 patches which fix a dangerous Safari vulnerability, among other issues.

From MacCentral:

Apple on Wednesday released Security Update 2006-001, available for download through Software Update system preference pane and from Apple’s Downloads Web page. The update addresses a recently reported exploit that left Safari users vulnerable to malicious shell scripts; corrects a vulnerability to Apple’s Mail software and also changes the way iChat handles file transfers to help prevent the “Leap-A” malware.

Caution still needed:

While these updates keep Safari from automatically opening these potentially dangerous files after they have been downloaded, double clicking on the file WILL EXECUTE the file.  See the end of this article for an example and further description.

Only for Mac OS X 10.4.5 and 10.3.9

Please Note-- computers will first have to be upgraded to Mac OS X 10.4.5 or 10.3.9 (or 10.3.9 Server).  We always recommend downloading and installing from the Combo updates when available.

Update Links & More Info:

Information about the Safari, LaunchServices Exploit

• Safari, LaunchServices

  CVE-ID: CVE-2006-0394

  Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

  Impact: Viewing a malicious web site may result in arbitrary code execution

  Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).

• From MacFixit.com 

  Based on the components affected by this update, it appears Apple has taken measures to prevent against the threat posted by the "Zero-day exploit" (aka "Safari Automatically Executes Shell Scripts"). See our Mac OS X Security Flaw roundup for more information.

  UPDATE: After installing this update and restarting, Safari no longer succumbs to this online demonstration of the Zero-day exploit flaw, even if the "Open safe files after downloading" option is turned on in Safari's preferences, hence nullifying this potential exploits for most purposes.

  The online demonstration no longer results in the presentation of a Terminal window displaying a folder listing. However, the script will still execute if the user double-clicks the downloaded file (which has a JPEG icon and file extension but actually contains a shell script and a special resource fork that tells the Terminal to execute it).

  Again, as stated in our previous coverage, one of the best protective methods you can use is to inspect any newly obtained downloads before launching them. Click on the newly received download once to select it, then press the Command and I keys simultaneously, or go to the "File" menu in the Finder and select "Get Info."

  If the file carries the icon representation of an image or some other file, but shows a different "Kind" in the Get Info window, something isn't right. Avoid launching the file and follow up by obtaining information about the authenticity of the download source.

• If a seemingly "safe" file (ex. Heise.jpg)has a different file type (view in the Finder or Get Info), then do NOT open the file.  In the example below, notice that  though the file is named and 'looks' like a harmless .jpg image file, it registers itself as a Terminal document, which in this case could allow it to execute  ANY sort of code the user has privileges for.
•