Trojan Horses not a new threat
Mac security software company Intego recently warned the world that someone else had discovered a weakness in Mac OS X: it executes applications that you double-click on. They claimed things like "Delete all of a user's personal files," "users can no longer safely double-click MP3 files in Mac OS X," and more rampant fear-mongering. Intego never mentions whether they bothered to report this serious problem to Apple, just that they thought they should announce it to the world immediately (after they had a fix themselves, of course).
The hysterical warning by Intego notwithstanding, the threat of Trojan Horses is real for any operating sytem. The capability of including executable code inside any MP3's ID3 tags is not surprising. It is also not surprising that for this to work, the file actually has to be recognized by the operating system as an Application, and it is. Intego carefully neglected to point out that their "proof-of-concept" Trojan Horse actually is displayed as Kind: Application in both the Finder preview window, AND in the Get Info window. This "serious threat" is basically just a sophisticated way of pasting an MP3 icon onto an application.
The Trojan Horse in question needs to be sent in a format that protects and encodes the resource fork, which most operating systems strip away. This means that the file would need to be compressed in OS X's zip format, Stuffit format, or something similar. Most MP3s are not compressed this way, since MP3 ITSELF is a compression format.
Intego only advises people to buy their software, without even mentioning the ways that users can easily protect themselves by just not double-clicking every file that shows up. This fact proves their intent, which seems to be to make money by greatly exaggerating a slight twist on an existing situation: do not execute applications you don't know are from trusted sources!
In fact, I have tested the following: it is possible to make an AppleScript application saved as a bundle, include an MP3 file in it, and rename it so that it ends with .mp3. Paste an MP3 icon on it and you've essentially duplicated this "serious threat."
Intego's original press release: http://www.intego.com/news/pr410.html
Intego's updated press release: http://www.intego.com/news/pr41.html
Again, in Intego's update press release, they state the following: "Apple's Mail, and Microsoft's Entourage, for example, encode this file using binhex by default, which transmits the resources that are required for this Trojan horse to function."
Once again, they fail to mention that Mail (at least) warns you that the file is actually an application.
It is obvious to me that Intego is taking advantage of fear to drum up sales for software that most Mac users believe (correctly) they do not need. Simply paying attention to what one is doing will avoid this particular "vulnerability" from becoming a threat.
There are few "fixes" for preventing users from foolishly executing malicious code by direct action. Should Apple require the user to verify every new application's first launch? Most users would get so used to clicking "OK," this would lose any real effectiveness.
Of course, they could shell out money to Intego, and of course they would then be safe and sound, right? Intego, after all, has Mac users' best interests at heart.
Other relevant links:
Ars Technica: http://arstechnica.com/news/posts/1081623266.html
Geeks R Us: http://www.geeksrus.com/archives/000481.html
I won't bother posting the links to all the inconceivably lazy publications that basically reprinted Intego's press release and actually put an author's name on their article. Just do a Google search for those pathetic excuses for journalism.