You need to be an administrator to run the update on the local machine. I don't know if there's any authentication with Apple's servers, but I doubt it. (As others have mentioned, the security risk is minimal because it is the machine that initiates the contact with the server, so a hacker can't just tell the machine to run an update.)
Assuming the cracker has administrator or root (not a big assumption...it *will* happen one day), he can do pretty much anything he wants. The cracker can pop up software update windows anytime and replace the code that says "go to apple for software updates" to "go to my script kiddie site for software updates".
Re:works another way though
on
Cracking OSX
·
· Score: 1
Remember, one of the reasons the user needs the software update is bacause his computer has a security hole which may have already been exploited. The little peice of MacOS X code that says "go to Apple to get my software update" can be replaced with "go to my script kiddie site for software updates".
I'm not a programmer and I have never seen it in action, but SGI has an OSS product named Jessie that's written in Java. I don't know what the performance is like.
Slashdot Mirror
Not a Panasonic press release but a CEBIT review:
0 455,97536,.shtml
:(
http://www.guru3d.com/cgi-bin/newspro/ktalk/98517
No prices either.
Remember, one of the reasons the user needs the software update is bacause his computer has a security hole which may have already been exploited. The little peice of MacOS X code that says "go to Apple to get my software update" can be replaced with "go to my script kiddie site for software updates".
Here's the link to George Gray's "online Unisys History Newsletter".
I'm not a programmer and I have never seen it in action, but SGI has an OSS product named Jessie that's written in Java. I don't know what the performance is like.