Apple claims to have fixed the issue where applications could run automatically out of a Time Machine backup. Look for CVE-2008-0038 in Apple’s About the security content of Mac OS X 10.5.2 and Security Update 2008-001.
Thanks to Apple for mentioning me. I certainly would have reported the bug regardless, but it’s a nice bonus.
The only thing I wish had happened differently was an earlier acknowledgement from Apple that they realized what I was describing and agreed it was a security problem. I didn’t find out Apple considered it a problem until January 22nd, when they asked how I’d like to be credited for discovery. Most of that time I wondered if I should file more details in an attempt to convince them it really was a problem. But, of course, that’s Apple’s nature.