10.4. Protecting Yourself from Harmful Downloads
I have some good news and some bad news. First the good: Regardless of which browser you use or how sketchy a site you visit may be, you can't accidentally catch a virus or install any harmful software simply by clicking a link on a web page. You can download software with a click, and if it's compressed, it may decompress automatically — sometimes converting, in the process, from a disk image into an application or installer. And some kinds of downloaded files, such as PDFs and graphics, may open automatically in Preview or another suitable program. Even so, the mere act of downloading a file can't, all by itself, cause any malware to infect Mac OS X because you can't run a downloaded application in Mac OS X simply by clicking a web link.
By default, Safari opens certain kinds of files it considers safe after downloading them — PDF files, sounds, word-processing documents, disk images, and so on. To disable this behavior, choose Safari Preferences to open the Preferences window, click General to open the General pane, and then click the Open "safe" files after downloading check box to deselect it. Then close the Preferences window.
Another piece of good news: Both Safari and Firefox (among other browsers) can alert you if you attempt to visit a site that's known to contain malware, assuming you have the right preferences turned ...