Apple Software Update
Software Update in OS X Lion
|Operating system||Mac OS 9
Software Update is a software tool by Apple Inc. that installs the latest version of Apple software on computers running OS X. It was originally introduced to Mac users in Mac OS 9. A Windows version has been available since the introduction of iTunes 7, under the name Apple Software Update. Software Update automatically informs users of new updates.
The program is part of the CoreServices in OS X. Software Update can be set to check for updates daily, weekly, monthly, or not at all; in addition, it can download and store the associated .pkg file (the same type used by Installer) to be installed at a later date and maintains a history of installed updates.
Software Updates consist of incremental updates of the Mac OS and its applications, Security Updates, device drivers and firmware updates. All software updates require the user to enter their administrative password, as with all consequential system changes. Some updates require a system restart. Starting with OS X 10.5, updates that require a reboot log out the user prior to installation and automatically restart the computer when complete; in earlier versions, the updates are installed, but critical files are not replaced until the next system startup.
Software Update uses predictable TCP sequence numbers and plain text HTTP. Neither the command line nor GUI tools allow the user to use unpredictable sequence numbers or HTTPS. Mac OS X 10.8 uses HTTPS by default and allows a user to downgrade to HTTP, but still uses predictable sequence numbers.
Apple's Software Update download server allows weak and wounded ciphers, and the server does not support secure renegotiation. Performing test connections using openssl s_client showed the server would agree to RC4-MD5. In fact, ARC4-MD5 was the server's preferred cipher. While confidentiality is not an issue (everyone gets the same update), authenticity is an issue and user must have assurances that they are communicating with the expected server and the communications are not tampered (MD5 is considered insecure by the cryptographic community, and should not be used).
In March 2008, Apple began offering its web browser, Safari, through Apple Software Update for Windows. The Safari download was selected by default for installation by Apple Software Update. After significant criticism from the community, Apple changed its policy and Safari was no longer selected by default for download. Apple Software Update for Windows now offers new software and an optional download, in addition to updates for already-installed software.
- OS X: Updating OS X and Mac App Store apps, September 19, 2012, retrieved September 23, 2012
- Schneier, Bruce (August 19, 2004), Cryptanalysis of MD5 and SHA: Time for a New Standard, retrieved September 23, 2012
- "Apple pushes Safari on Windows via iTunes updater". CNET. Retrieved October 23, 2009.
- "Apple updates Software Update for Windows, Safari optional". Ars Technica. Archived from the original on October 12, 2009. Retrieved October 23, 2009.