[nyellin]

Sorry, but that's another common misconception.

As non-admin, you have authenticate to create or delete items in /Applications/. However, all items you move to /Applications/ remain under the ownership of your user.

You can confirm this without even opening the terminal: move the directory Foo/ to /Applications/Foo and notice that /Applications/Foo/bar is user-writable.

(Furthermore, admin on OS X (and many modern Linuxes) isn't equivalent to the traditional root account. Using a non-admin account doesn't make the difference you think it does.)

[WiseWeasel]

OK, it seems to ask me to authenticate to move a folder to certain directories in /Applications, apparently those created by installers running with admin privileges, but I am able to move a folder to a folder that I've moved to the /Applications directory under my regular user account with authentication without needing to re-authenticate. But since the majority of my apps are not in their own directories, I am still asked for admin privileges to modify them. I am aware that the admin account is not in the root wheel, but the /Applications directory is owned solely by the 'admin' account; just not necessarily all sub-directories apparently.

[nyellin]

Every app is its own directory!

Look at blog post I referenced above. It has an example for modifying the binaries inside Firefox.

[WiseWeasel]

It does work for Firefox, which I don't use on my Mac, but not for Safari, which I do. It seems first party apps and ones installed with a proper installer are not susceptible to this vulnerability, so you would have to rely on the presence of third party apps that don't get installed with installers. I would guess Mac App Store apps are also protected, but I am unable to test that. You are right that there is a vulnerability, though it's extent is questionable.