“It’s unfortunate, because this Trojan is an actual attempt by Ukrainian criminals to hijack Macs, but it’s not exploiting any sort of security hole in any version of Mac OS X. To get hit by it, you must (a) be the sort of moron who downloads ‘video codecs’ from porno sites; (b) mount the disk image and launch the installer; and (c) grant the installer administrator privileges to install whatever it wants, wherever it wants on your system. No system can prevent that.”
(Via Daring Fireball.)
John is, of course, completely correct. However, everything that he says above is also applicable to the majority of Windows malware, including all of the main ones which will infect you at the moment. Social engineering is easier and more effective than trying to rely on the existence of an unpatched security hole, because the existence of a stupid user in front of the keyboard can be more reliably predicted than the existence of a security hole behind it.