It’s not a Trojan horse, but a recently revealed security vulnerability does appear to be real, and to be a real concern. The exploit relies on unsafe actions that Apple allows for certain URL types and makes it possible for a malicious AppleScript script to be executed on your Mac after you click a link on a Web site. No one of the actions in question is unsafe on its own, but when you combine the capability to download and automatically mount a disk image (which could contain a malicious AppleScript script) and the capability to run that AppleScript (because it’s in a known location), you end up with a recipe for trouble. Apparently, turning off Safari’s Open “Safe” Files After Downloading option in its General preference pane isn’t sufficient protection (and the vulnerability is present even if you use another Web browser). The best advice so far seems to be to use a program like Monkeyfood Software’s free More Internet preference pane to change the help protocol to use an innocuous program like Chess as its helper application, rather than Help Viewer (which can execute AppleScript scripts). That prevents Help Viewer from executing AppleScript scripts from a help:// URL and should protect your Mac until such time as Apple releases a security update to address the problem.
It’s worth keeping in mind that any action you take with your computer is potentially unsafe; a bug in a totally legitimate program could cause as much havoc as malicious software. Although there’s no reason to become entirely paranoid, we recommend that you exercise reasonable caution when evaluating the sources of files you download and links you click. And the most important thing to remember is that regular backups that maintain multiple versions of changed files will help you recover from almost any disaster with minimal effort.