This widget exploit seems pretty serious. To sum up, Safari can be made to install widgets without prompting, the widget can make calls to the system, e.g. deleting your home directory, and you won't be warned that the widget contains code that makes system calls. And, there is no widget management or inspector utility. Seems like the same mistake that microsoft made with tying the browser too closely with the OS. On the plus side I would imagine that it would be pretty easy to fix these vulnerabilities and would expect an update to be available soon.
Not quite right. While everything you said is apparently true, there is one more step... after the widget is downloaded and installed in the Macintosh HD/Library/Widgets/ folder, the USER MUST drag it from the widgets dock and place it on the Dashboard for it to be invoked... and then agree to run it for the first time. Only then can its malicious intent be realized.