Nota: Di questo testo esiste una versione in italiano
A malformed Installer package (.pkg) on Mac OS X could be used to insert user accounts with administrator rights and change root-owned system configuration or binary files without prompting the vast majority of Mac OS X users for a password of any kind.
This is what claims a piece called “How a Malformed Installer Package Can Crack Mac OS X” on the MacGeekery web site. Looks like it is a known issue, first discovered in July of this year on the Apple discussion forums and officially acknowledged but not yet patched.
The insecurity works with an Admin user and exploits the AdminAuthorization key in Installers: according to the documentation this is not a expected behavour and could be used to modify root-owned files such as
/etc/sudoers. Nonetheless it is used by software installers such as Parallels that adds new kernel extensions and flushes the cache, as stated in the piece and confirmed -among others- by a comment following my submission at Slashdot.
For a solution another comment suggests that using a non-Admin account an Admin password is asked by the Installer (so as it should be, ie using Terminal you need to prefix
sudo), behaviour which could also minimize other security issues.