Probably one of the biggest Mac holes is in Apple's Safari Web browser, which downloads files that you click on or that are embedded in a Web page. That presents a problem because, by default, Safari is designed to open "safe" files as soon as they've been downloaded. Unfortunately, the definition of "safe" includes package-installer and disk image files, which can contain malware. If the malware files are embedded in a Web site, they could be downloaded and opened automatically.
Apple has done a good job of combating the potential damage in Mac OS X Leopard, which automatically detects disk images and applications that have been downloaded from the Internet via Apple's applications (Safari, Mail and iChat). However, to be truly safe, one of the best and easiest things you can do is disable the automatic opening of such files in the Safari preferences.
Disable automatic opening of downloads.
Click to view larger image.
From the Safari menu in the menu bar, select Preferences, click the General tab, and uncheck "Open 'safe' files after downloading." From now on, you'll need to manually open downloaded files by double-clicking them in your Downloads folder or in Safari's list of downloaded items.
Make sure not to click the "Do not show" option in the warning dialogs that Leopard displays when you open downloaded files; that way, you'll always be warned the first time each downloaded item is opened. (Note: This tagged file feature was introduced in Leopard and doesn't apply to earlier versions of Mac OS X.)
A similar security feature in Leopard is support for code signing, which places a digital signature in application files; your Mac checks them at launch to be sure that they haven't changed and alerts you if they have. Although many third-party applications don't yet support this, it is a powerful feature, and you should pay attention to any such warning. As with the tagging of downloaded files, do not click the "Do not show option" if you do see one of these alerts.