Summary:  News of a recently-discovered (and potentially serious) flaw in the way Mac OS X v10.4 handles data files under certain circumstances has been published on several Internet Security resources and other media sources over the past few days.  In essence, the flaw may allow for malicious shell commands/scripts to be run on a victim machine through no user interaction other than visiting a specifically-crafted web page using the Safari Web Browser or opening an email message  using the Apple mail client (Using default Safari and mail client settings). 

At the time of this writing (12:15 EST 2/24/06):

(1) no active exploits for this vulnerability (in the form of malicious web pages, etc) are yet known to exist. 
(2) no vendor-supplied fix for the vulnerability has been released but several workarounds have been suggested by the Internet Security community.

Recommended Actions:  As a precautionary measure, Mac OS X administrators/users are encouraged to read the information below (see links in the "Resources" section) to gain a better understanding of the threat and risks associated with this vulnerability.  Apple Safari default preferences settings can be modified as a workaround to exploitation via web browser (See link below) and alternative applications such as Mozilla Firefox (web) and Thunderbird (mail) are being suggested by various security resources as another means of minimizing the risks associated with this vulnerability.

ITS Actions: At this time, ITS is taking no additional formal actions to address this issue.  An update to this alert will be issued if the situation changes and/or ITS elects to take additional actions.

Resources:

USA Today article on vulnerability:
http://www.usatoday.com/money/industries/technology/2006-02-23-mac-security_x.htm