New Mac OS X Flaw: ZIP Shell Script Execution
Just today, it was reported on Secunia that an extremely critical OS X flaw has been discovered. The problem arises from the way OS X handles the __MACOSX folder in ZIP-compressed archives. This problem exists even in the most updated Mac system running OS X 10.4.5. All I can say right now is that you should be very careful about what archives you open. Take the vulnerability test to see if your system is prone to such exploits. Hopefully, Apple will release an update quickly, as they recently did with the 10.4.5 update after the 10.4.4 exploit. Thanks to Charles Dale for pointing me to this one.
The vulnerability is caused due to an error in the processing of file association meta data (stored in the "__MACOSX" folder) in ZIP archives. This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive.