Indeed. Subverting the system with user intervention is most likely what you'll see. I'm not a Mac guy, and don't play one on TV, so I'd like to know something about the way that OSX handles attachments and the like. On Linux, when you save a file attachment or download something, if you want it to execute you must chmod it to run. This is one of those things that makes unix systems safer than MS-Windows which executes based on file extensions. Does OSX do anything to eliminate this step? I'd kind of be suprised if they did, as it breaks a lot of security models.
You can include execute permissions inside a tar or zip file, but you still have the intermediate step of extracting bafore you'd be able to run it. Even then, this doesn't break user-level security, as you can't elevate your own permissions just because those permissions had been set in the tar. Granted, you can wipe your own stuff out if you do something stupid, but there is nothing you can really do about that, as a user generally will have write permissions on his own data pretty much no matter what.
If you download an executable file on a Mac, the system comes up with a message asking if you're sure you want to download it. It then appears in a disk image and you have to double click on the installer to run it. It will ask for your password when you run the installer to upgrade privileges sufficiently to install it.
I don't think there is as much protection if you download an executable in an email. Then again, I don't remember ever receiving a Mac executable in an email so it may not be considered a useful vector.
In any event, you would have to actually download and deliberately run it for it to work. There is no system that allows for a "drive by download" because the Mac has no equivalent to Active-X controls.
Microsoft's decision to make Internet Explorer integral to the operating system appears to have been the worst possible security mistake. There is no technical reason to make a web browser capable of updating the OS. In MacOS X, system updates are performed in a way entirely unrelated to the web browser and so there is no way a web browser can update the OS.
The ability to make Windowsupdate work from the web forces horrible security vulerabilities since it means that Windows has to be updateable from the browser environment. Browser helper objects, the things that create those ghastly popups, can be downloaded automatically thanks to these same technologies.
Since there's nothing like them on the Mac, the Mac is inherently far more secure than a Windows machine.
In addition, the Mac's email software does not have a javaScript interpreter and so you can't script emails. Outlook was fully scriptable via emails, which again was a huge and very costly mistake.
Did that help?
D