Critical security flaw in Mac OS X Help Viewer
Update 2: see John Gruber's page An Ounce of Prevention which is kept updated with the latest information.
Update 1: Apple has released a security update that fixes the flaw within the Help Viewer (released on May 21 but the fix is oddly dated 2004-05-24):
Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:
Security firm Secunia has published a security advisory about a critical security flaw in
Safari and IE 5.2 the Help Viewer which allows for the execution of scripts in the system with a simple URL, such as this one :
<a href="help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string=usr:bin:top">click to run 'top'</a> (test for yourself if you're on Mac OS X, the following link will launch a Terminal window and execute the utility 'top' that shows the running processes: click to run 'top', just press 'q' to quit top then quit the Terminal and the Help Viewer.)
P.S.: if you're of the paranoid type you have a few solutions until Apple fixes this flaw: