posted a fix for their Software Update mechanism used in Mac OS X. The update is available from the company’s support Web site and will be available via Software Update shortly.
As MacCentral reported last week, HTTP is used with no authentication when running the Software Update application. Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple.
With the new Security Update fix, packages presented via the Software Update mechanism are now cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing new packages. Downloaded packages that do not contain a valid signature are deleted from the system, according to Apple.
Apple also provides detailed instructions for those users who want to verify the checksum of the Security Update using the Terminal application.