icblog

Keeping the Worms Out of Apple. A security experts announces a major flaw in an OS software updating process; the company fixes it a few days later. Microsoft? No, Apple! Apple, historically, never did quite as good or public a job of fixing security problems in Mac OS. In the last year, however, they’ve entirely redeemed themselves through frequent and well documented security updates to Mac OS X. The latest update reflects a problem discovered in which Apple doesn’t cryptographically ensure software updates are actually from Apple . It also doesn’t encrypt the downloads, a lesser problem. A properly distributed worm or even a hack into an ISP’s DNS servers could have allowed non-Apple sources to spoof new updates and install them with root access. This hadn’t happened yet, partly because Apple is so good at keeping ports closed and software up to date. (If you’re using Software Update regularly already, you would have already installed the security updates that would have prevented Apache and SSH flaws from ruining your day or year.) Apple today pushed out a security fix which signs all updates. Bravo … [GlennLog]