What this actually reveals is that sudo used a faulty mechanism for detecting whether a previous authentication is still valid, by failing to check system time was not before the authentication time.
su does not do this, though kdesu can be set to do so, but there is no reason to suspect it has the same bug, as any competent security programmer should find it obvious.
If a cracker knows the last privilege authentication time they could still use the technique (which is why system logs should be accessible to root only), providing they can also change the system clock. A user needs root privilege to change the system clock, which is only available through sudo, if used. Presumably, sudo was also checking the new time rather than the old when deciding whether to allow clock modiification - another bug!
Without sudo, the root password is needed to change the system clock, so this would not work.
However, it is always possible su might contain some exploit, but not one as obvious as this. It is such an obvious flaw it reflects extremely badly on the authors of sudo, who apparently didn't know better. That, I think, is the key point here.
