Yesterday, a security flaw in Apples web browser, Safari, was discovered. It revolves around the “Open ‘safe’ files after downloading” preference, which is on by default.
Basically, a malicious website can download a file, that is masquerading as another type of file, to your drive… and proceed to do just about anything it wants… like erase all your files.
The first step in avoiding this problem is to uncheck that “feature” in the Safari preferences (under the “General” tab). Another step that can help, while we wait for a security update from Apple, is to move the Terminal application out of your utilities folder, as the malicious files require it to be in that specific location to function. But, you should put it back into the Utilities folder before performing any OS updates.
Unfortunately, the vulnerability exists in Apple’s mail application as well. The best advise I can give, is to never open attachments / downloads if you are not sure of the source.
Updated (3.01.06): Today Apple released a security update that plugs these holes. Check out the story on Macworld.