Somebody on Full-Disclosure posted that there is a new vulnerability with Dashboard. He describes a malicious Widget that waits until the user uses sudo and than the Widget uses sudo too to get superuser rights.
This is not a “first-class” vulnerability like a buffer overflow or format-string vulnerability. This could happen with any other application on any other Unix. Just remember that Widgets are (or can be) full-featured applications. They run as the local user and therefore have only his rights. But as any other application they can use sudo and the password grace period in /etc/sudoers to obtain root privileges (see timestamp_timeout in the man page).
The only thing that Apple can be “accused” of is that they enabled the password grace option. Disable it if you are paranoid. Do not load and install every Widget on the net just like you do not load and run every application out there.
With 10.4.1 Apple repaired the auto-install feature of Widgets. Now malicious Widgets cannot get on you computer without user-interaction.
If the user behaves stupid, it is not Apple’s fault. But they should remind the user of the possible evil of new downloaded files and they do it with 10.4.1.
