Yahoo Messenger Install Secuirty

[Kyle Duren <acidrain_ask () pixitha com>]

Im now 100% sure where I should post this or who to tell, but here goes.

I was messing around with just installing some chat programs when I came 
across Yahoo Messenger. Well I started the install, and oddly enough its a 
lil different. Yahoo decided it would be easier for the user to just 
download all the install files from them, on the fly. 

The way it does it apperas to be via http:

GET /download.yahoo.com/dl/installs/ymsgr/ymsgr_1228.exe HTTP/1.1

Then the server responds (a19.g.a.yimg.com).

And sends the files.

Well this sounds all fine and dany, except it sounds very familiar to what 
the Apple Software Update Util used to do. No passwords or secrity on the 
download. The installer never even seems to verify the files.

This leads me to think that someone with enough time and brains could fool 
the "victim" computer to download some bogus Yahoo messenger files and 
install them instead of the legit ones.

The info on the Apple Security Hole is at: 
http://www.cunap.com/~hardingr/projects/osx/exploit.html

Of course this was fixed very quickly by Apple.

Can someone verify this as a valid exploit?

Thanks
Kyle Duren