Russell Harding has identified a relatively major security exploit in the OS X Software Update mechanism. Basically, since the server does no authentication, it's possible to spoof the update server and install whatever you like. Russell has published an exploit which demonstrates the nature of the problem. The exploit installs a hacked copy of the SSH daemon which allows easy access to any (including root) account on the system.
I don't generally choose to publish security exploit information, but this one seems relatively important! Hopefully Apple will find a way to (quickly) secure the Software Update process.
Thoughts, anyone? Is this a major hole, or is it not really that big of an issue? As a non-technical user, I'm not sure I understand exactly how this exploit could be installed on my machine ... so I'm not sure how worried I should be!
JULY 13 UPDATE: Apple has now released an official patch to cover the Software Update security exposure. It is not available through Software Update (for obvious reasons?), and Apple has included a checksum to verify your download prior to installing, if you wish.

