The Security Mentor

Apple's already fixed this in OS X version 10.4.1 but it leaves me with a bad feeling.

The bug was in the new Dashboard feature. You can download new widgets to include on your Dashboard, and Apple's web browser Safari could be tricked into installing one behind your back if you had an option turned on called "Open Safe Files". Then the widget could do things on your computer. If the widget only does good things you'll be OK but I do not recommend, on today's Internet, that you rely on the kindness of strangers.

For now, if you're running Tiger, make sure you run Software Update and get version 10.4.1. In Safari, turn off "Open safe files after downloading". But there may be more problems later.

I fear more problems because Apple made a bunch of design decisions that don't look security-minded.

They made it easy to install software without the usual safeguards

They let the web browser believe that a program can be "safe"

They gave the downloaded programs too much freedom. There are restrictions but some Dashboard widgets are considered trusted and allowed to run free.

I hope I'm wrong about something on that list because those are exactly the decisions Microsoft made with Internet Explorer that have been causing havoc for years.

Here's the official advisory for the Dashboard auto-install issue.