The company acted within days of the news emerging. The way Apple had set-up the Software Update facility of OS X could leave users vulnerable to hackers.
BugTraq explained: “HTTP is used with absolutely no authentication. Using well known techniques, such as DNS Spoofing or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.”
Signed or off Apple's new Security Update 7-12-02: “Increases the security of the Software Update process for systems with Software Update client 1.4.5 or earlier. Packages presented via the Software Update mechanism are now cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing new packages. Downloaded packages which do not contain a valid signature are deleted from the system.”
The update, which is for Mac OS X 10.1 or later, is available from Apple. The update will also be available soon using then Software Update panel in System Preferences (requires Mac OS X 10.1.1 or later).
Last week, Robert Harding, discoverer of the flaw, explained to Macworld: “Every other operating system vendor has some sort of authentication mechanism. Most are automatic, others at least post MD5 checksums.” (MD5 checksums are numerical data inside files that can be used to uniquely identify and verify the integrity of files).
At that time, Harding suggested: “Since the OS uses XML via HTTP, the obvious solution would be to use HTTPS, and validate security certificates.” Effectively the solution Apple has adopted.