entering password to install software - security exposure?
Am I the only one who sees this as a potential security risk? I have been using computers my entire life, and I am still surprised by this, and I cannot believe it has not become a problem.
The issue is this - when installing software, you are prompted to enter your admin password before the app installer will run. This seems fine when explicitly launching a .dmg file.
However, many applications will download a new version, then launch the installer themselves. So we become used to the idea of, for example, an app launching a dialog that says "Software update available - do you want to install?", then if you click yes, it downloads/launches the installer of the new version. (For example, I just had this happen with Adobe Flash, but I have experienced it with several apps I use). So - the installer launches and a dialog pops up requesting that I enter my admin password.
So in this scenario, how does one tell the difference between a legitimate system prompt for the admin password, and a rogue app that is phishing for my root password? It would be easy for an app developer to spoof this entire process - "do you want to install the new version?" "please enter your admin password" and I claim it would be indistinguishable from a legit prompt for my password when launching a .dmg.
Moreover, the frequency of this operation somewhat desensitizes us to entering our root passwords whenever any semi-official dialog pops up requesting it.
This seems like a signficant security risk.
iMac (27-inch Mid 2011), Mac OS X (10.7.5)