Is this the start?

http://news.zdnet.com/2100-1009_22-5700982.html

It was stupid of them to enable auto-installing by default.

It's a small vulnerability, though JavaScript-wise it's safe. I'm not sure about how the ability to use Cocoa plugins in it affects it, though (you are able to execute shell commands through Objective-C). However, because Mac OS X is based on the UNIX permissions system, the worst that could happen is a user account be compromised; the integrity of the entire system should be unaffected, though. Also, when installing a new widget via double-click or auto-install Dashboard prompts you if you actually want to install the widget. This system, however, is unprotected as it doesn't give a warning. Apple should create some kind of review system for widgets; then when they're considered safe, they carry some kind of internal certificate.

And if you get one of these misbehaving widgets, they're easy to kill and stop because the permissions prevent them from installing lovely startup items everywhere. Granted the average Mac user won't know how to tackle this issue, but it could be done with some help.

Ultimately, the best idea would be to get rid of the auto-install option. It has also caused them problems in the past with a previous Safari exploit.

Actually root can be compermised as it has no password when default install is done. with the right cammand (using camand line Net Info) you can enable root and....lets not think about that (rm -rf /)

Actually root can be compermised as it has no password when default install is done. with the right cammand (using camand line Net Info) you can enable root and....lets not think about that (rm -rf /)
Yes it has no password, but it is a disabled account; to enable it, the user must enter the administrative password. Directly from Mac OS X's help:

By default the root account is not active.

could call sudo rm -rf /

you never know the user might be silly enough to enter the password.