A security mailing list has alerted Apple Computer OS X users to a program that could let a hacker piggyback malicious code on downloads from the company"s SoftwareUpdate service.
According to the BugTraq mailing list, a hacker named Russell Harding has posted full instructions online for how to fool Apple"s SoftwareUpdate feature to allowing a hacker to install a backdoor on any Mac running OS X.
The exploit takes advantage of SoftwareUpdate, Apple"s software updating mechanism in OS X, which checks weekly for new updates from the company. According to Harding, who claims to have discovered the exploit, the feature downloads updates over the Web with no authentication and installs them on a system. So far, there are no patches available for this problem.
Harding stressed that the exploit is a simple one if using several well-known techniques, including domain-name service (DNS) spoofing and DNS cache poisoning.