Many UNIX and Linux systems actually have cron jobs that check for world-writable files. On Apple’s OS X there is no such safeguard and many vendors do not seem to care about file permissions much at all. Several well-known applications are either installed with world-writable files or create them when used:

World-writable files in system directories

The following applications install world-writable files in shared directories (/Applications, /Library, …):

• Adobe CS 4, CS 5: Some uninstallers + several files and directories in /Library/Application Support + various stuff in other locations
• Adobe Media Player: directory + some files in Contents/Resources
• Adobe Flash Player: directories (including AddIns und AddIns/airappinstaller)
• Amazon MP3 Downloader: some directories
• EPSON (Scan, TWAIN data source, Easy Photo Print, …): pretty much everything, including executables
• Eye-One Match 3: complete app, including executable
• eMusic Download Manager: complete app, including executable and JavaScript (the application is based on Mozilla)
• Telltale games: complete apps including executable and libraries
• Apple OS X: some plist and cache files, including at least one LaunchDaemon plist file
• Google+Growl Utility (not a Google product): whole app including executable
• HP Scan Pro (plus supporting files): everything including executables
• DivX Converter: resource files
• Apple Remote Desktop: some plist files
• Apple GarageBand: several plist and data files
• Apple ColorSync: some profiles
• Microsoft Office 2011: directory in /Library Application Support
• Elgato EyeTV: several plist files
• ABBYY FineReader Sprint 8.0: several data files
• ArcSoft (Connect Suite, MediaImpression 2): all files, including executables
• Extensis Suitcase Fusion 2: all files, including executables

World-writable files in user directories

The following applications install world-writable files in user directories (/Users/$USER):

• GoogleGrowl.plugin: whole plugin including executable
• 3rd-party extensions for Apple Safari: some extensions (e.g. AdBlock) install world-writable files
• Apple iPhoto: the whole library seems to be world-writable
• Adium add-ons: several add-ons install world-writable files
• eMusic Download Manager:some preferences files are world-writable
• Adobe (CS 4, CS5, Flash, …): several preferences files
• Apple MobileDevice: crash logs are world-writable

The lists have been compiled by inspecting my own systems and those of several friends by running

sudo sh -c \
  "find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print0 | \
   xargs -0 ls -dl 2>&1 | \
   tee world-writable-files.txt"

and analyzing the output.

Note that running Disk Utility‘s “Repair Disk Permissions” does not have any influence on the issues described here.

Most OS X installations are probably single-user systems in reality but the situation is still somewhat ugly.

Facebook’s FAQs (1, 2) have not been updated accordingly yet.

It may be a good idea for the WordPress developers to sign their releases with a well known and trusted PGP key. This would allow people to verify that downloaded files are really what they should be!
This is a well-established practice used by other projects, for example by the Linux kernel.