Unfortunately i had to force TypeKey registration for comments on this site. Comment Spam was just getting crazy and causing way too much work to moderate it.
Sorry, but if you want to comment, you need to get a TypeKey identity and sign in. It's easy and free!
I am very impressed. Apple has already closed the security hole (see below) in their Software Update mechanism.
With this surprisingly fast fix Apple proves how seriously they take security issues (responses to the latest SSH/Apache vulnerabilities have already been very timely too).
Get your Update here and don't forget to verify the checksum (2c039c683b7001defc35f93ba1f68db3e33e41fc) of the update after downloading AND dropping it onto Stuffit expander:
/usr/bin/openssl sha1 /Path/To/SecurityUpdate7-12-02.dmg
And there's more: this update does contain a COMMAND-LINE version of Software Update which comes very handy when administering several machines via SSH. See man softwareupdate for more Info.
Recently published exploit calles it "trivial" to trick a user to install malicious code.
IMHO DNS/ARP-Spoofing requires at least access to the victims network which i wouldn't call "trivial" given the victims network is considerably well protected.
In any case it is true, that it is a big oversight from Apple
not to incorporate any authentication mechanism into it's Software-Update programm.
They could at least somehow GPG-Sign their downloads and have Software-Update verify the signatures.