Version:            (using KDE 3.5.10)
OS:                Linux
Installed from:    Unlisted Binary Package

Currently, because Desktop Configuration files are considered not to be scripts, no check is made on the execute bit before running the Exec line, even though the effect is similar to a script. This even applies if the line is run by clicking on the file, which is the normal functionality these files provide. Unfortunately, this feature, combined with the ability of these files to display a different name and icon and thus appear as a different file type altogether, enables confidence tricks to be played on users if they can be persuaded to download a disguised file in the belief it is a document or image, and to click on them to open them. This provides a trojan attack vector to install malware in a user's account without their knowledge. Whilst it has security implications, the scenario is well-known and therefore little harm is done by mentioning it here.
I have developed a patch for kdelibs 3.5 which helps users to identify such files by checking the execute bit if the file is not (owned by root and outside the /home tree) or alternatively in the ~/.kde/ tree. If the execute bit is not set the file will open in kwrite (if available) instead of running its Exec line.
Thus those seeking to deceive would have to take more complex steps to disguise their work and maintain its functionality, and such steps are more likely to alert the user that all is not as it seems.
Desktop files copied from the above permitted areas will have the execute permission set automatically to preserve the drag-and-drop functionality.
This "More Secure Desktop" can be turned off if the user does not want it.
I will attach the patch and also an rpm spec file to show how the components can be installed.