By John Gruber
Enterprise-class Mac hosting infrastructure on genuine Apple hardware. Learn more.
The latest “Month of Kernel Bugs” issue is quite serious: a “.dmg” disk image file which, if you attempt to mount it, will cause a kernel panic on any up-to-date Mac running 10.4.8.
You should be safe, of course, because you read Daring Fireball, and so you know that you should turn off Safari’s incredibly foolish “Open ‘safe’ files after downloading” preference. But given that this preference, which in my opinion shouldn’t even exist, is on by default, most Mac users are vulnerable to attack via this exploit. If you have this preference turned off, you’ll still get a kernel panic if you manually attempt to mount the disk image, but if you have the preference turned on, you’ll get a kernel panic just by downloading the file — and any web site you visit can initiate a file download automatically.
Question for Apple: How many times must this Safari preference be exploited before you remove it from Safari, or at least turn it off by default?