Hello Listers: An official of the Virginia Macintosh User Group sent out a report today about a new danger in using Apple's Software Update facility to download software. Below is this report about Apple's fix and problems in using it. > > Apple has acted quickly and posted a Security Update 7-12-02 on its web site > and it is available via Software Update mechanism. > > "[It] increases the security of the Software Update process for systems with > Software Update client 1.4.5 or earlier. Packages presented via the Software > Update mechanism are now cryptographically signed, and the new Software > Update client 1.4.6 checks for a valid signature before installing new > packages. Downloaded packages which do not contain a valid signature are > deleted from the system." > > There have been some issues noted when the Security Update is installed > before other system software updates are installed (once the Security Update > is installed, Software Update control panel indicates that the system > software is up-to-date--even if it isn't). Recommend installing the other > Apple system software updates before installing the security update. > > For more information, check out today's report (Sunday) on MacInTouch at > <http://www.macintouch.com>. > > There is also additional info at <http://www.macnn.com> and > <http://www.macfixit.com>.
MacCentral's announcement of the fix is at:http://maccentral.macworld.com/news/0207/13.update.php Apparently, this is a badly conceived quick-fix that must be used cautiously and without haste, or really, not at all. The new patch will lie to you in common situations and, if I understand one person's report, even prevent other updates from being applied in the conventional way. The other links above lead to comments that there are better solutions involving encryption, similar to credit card and banking transactions. The security update allows itself to be installed before installation of updates previously made available. The requirement is OS X 10.1, not 10.1.5. And for now, Apple's page at: http://docs.info.apple.com/article.html?artnum=75304 fails to give procedural instructions such as that provided by the user group official. The page shows how one can verify the authenticity of the security update itself and, further, has a link to a "secure server." As I understand the complaints, even the authenticity check can be spoofed, and when I went to the secure server link, I did not see a padlock show up on my browser's window. How do I know that was a secure link? A discussion at an Apple forum: http://discussions.info.apple.com/WebX?[EMAIL PROTECTED]^[email protected]/7 indicates that programmer techniques at one's Macintosh can resolve the out-of-sequence problem, but what about the common user? By the way, Apple did not provide a quick-fix for software updating of OS 9 which is equally vulnerable. Oh hum, just another reason to update my Macintosh the old way. -- Al Poulin Anger, hate, and revenge are for the devil, forgiveness is for God, proactive self-defense is for the rest of us. -- G-List is sponsored by <http://lowendmac.com/> and... Small Dog Electronics http://www.smalldog.com | Refurbished Drives | -- We have Apple Refurbished Monitors in stock! | & CDRWs on Sale! | Support Low End Mac <http://lowendmac.com/lists/support.html> G-List list info: <http://lowendmac.com/lists/g-list.shtml> Send list messages to: <mailto:[EMAIL PROTECTED]> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive: <http://www.mail-archive.com/g-list%40mail.maclaunch.com/> Using a Macintosh? Get free email and more at Applelinks! <http://www.applelinks.com>
