Apple on Wednesday released a security update for users of Mac OS X 10.5 Leopard and 10.6 Snow Leopard.
Security Update 2010-003 for Snow Leopard, Leopard Client, and Leopard Server fixes exactly one vulnerability: the potential execution of arbitrary code when viewing or even just downloading a document with a maliciously-crafted embedded font.
In Apple's knowledge base document on the update, the company credits security researcher Charlie Miller for the find. Miller has won the annual Pwn2Own contest by taking over Macs three years in a row. Last year, he also discovered a rather nasty SMS vulnerability that could allow a malicious hacker to install and run unsigned code on an iPhone, complete with root access.
The Security Update 2010-003 for Snow Leopard weighs in at 6.5MB and requires Mac OS X 10.6.3 or later; the 219MB Leopard client and 379MB server versions require Mac OS X 10.5.8 and Mac OS X Server 10.5.8 respectively.