I have long maintained that OS X had no ability to propagate a virus automatically. It seems (though I haven’t confirmed with testing) that AppleScript does indeed have this ability with Address Book.

You can write a script that gets a list of addresses of all your contacts in Address Book, creates a new email, attaches a file, and sends it.

That would be very much like the .VBS viruses on Windows like “I Love You”, I think.

So it does seem that OS X has some automation that makes it vulnerable. We’ve been discussing it on a Mac site and we have come up with a solution for Apple to implement:

Apple should put a Keychain password on the Address Book db. With that, if what you think is a .JPEG is actually a script and it tries to access your Address Book contacts, a Keychain dialog would come up, which would immediately let you know you aren’t launching a .JPEG.

Personally, I don’t think there should be this ability to have a script dynamically populate the address field of an email. You can create workflows with email that have specific addresses, but dynamic?