Mac OS Software-Update Exploit
Recently published exploit calles it "trivial" to trick a user to install malicious code.
IMHO DNS/ARP-Spoofing requires at least access to the victims network which i wouldn't call "trivial" given the victims network is considerably well protected.
In any case it is true, that it is a big oversight from Apple
not to incorporate any authentication mechanism into it's Software-Update programm.
They could at least somehow GPG-Sign their downloads and have Software-Update verify the signatures.