Apparently a security firm has discovered a way to trick Mac OS X into running a trojan horse. The technique involves creating a data file, but embedding a Carbon program in it. (Carbon is a programming interface aimed at making it easy to convert older Mac applications to run on Mac OS X without switching into Classic mode.)
According to Intego, Finder will
see only the file type data display a spoofed icon identifying the file as (in their example) an MP3, but actually double-clicking on the file will cause the OS to notice the program code and run it. Their proof-of-concept code runs itself, then opens the file in iTunes in order to avoid looking suspicious.
This is very similar to a (fixed, but still present in a zillion unpatched systems) bug in Internet Explorer for Windows that was exploited by many mass-mailing viruses. In that case, IE would decide whether a file was safe by checking the MIME type sent by the server, then use the file extension to decide how to load the file. Viruses would generate messages embedding supposed MIDI files that Outlook would try to play, but instead of handing it to a MIDI player, it would ask the OS to open the file. Without the MIME info, Windows would see it was a program file and run the virus.
If this is confirmed, it will probably not be a vector for e-mail viruses, because the standard mail and web apps for Mac OS X don’t automatically run things the way Outlook, Outlook Express and Internet Explorer do.
No, the real danger will be viruses that spread through peer-to-peer file sharing networks. Download a supposed MP3 off of Gnutella, open up your music folder, double-click on it, and you’re infected.
Apple has said they “are aware of the potential issue… and are working proactively to investigate it.”
(Why is this news? Because it’s Apple, and because it’s so similar to a popular virus vector in Windows. Exploitable vulnerabilities are found so often in Windows I hardly blink.)
Updated slightly based on some real analysis (see comments).