NSLog();

There exists a very good page that demonstrates a number of security flaws (all relating to the same type of thing) in Mac OS X: http://test.doit.wisc.edu/. Visit it now. How to protect yourself:

1. Get the Help Viewer security update from Apple. This closes the help: protocol only.
2. Disable the auto-opening of safe files in your browser(s). This will solve the .zip (.dmg, .sit, etc.) issue.
3. Disable the disk:, disks:, afp:, and telnet: protocols.
4. Set your ftp: protocol to FTPeel (or disable it).

You can use RCDefaultApp to do the disabling. I recommend reading these three articles as well. Or this one. Jay Allen also wrote one, though I disagree with the step that prompts you to download Paranoid Android.

All of the exploits listed on the test page above worked for me with a standard config. Of course, "worked" == "very bad" in this situation.