Many of the patches protect against malicious attackers running code on your device, which could in theory be used for all sorts of malicious purposes. Vulnerabilities were corrected for WebKit, Configuration Profiles, CoreGraphics, FreeType (in PDF rendering), and more to prevent against this type of attack.
iOS 4.2 also includes a fix for iAd content display, to prevent attackers in what Apple calls “a privileged network position” to force phone calls from your device without your permission. A separate fix for Mail corrects an issue where carefully-crafted HTML emails could track whether you viewed a message, even if you had turned off remote image loading in Settings.
The update also addresses a situation where your MobileMe password could become visible to another attacker in that aforementioned privileged network position when using the Photos app to send images to the service. iOS 4.2 also corrects a race condition that could force the Reset Safari option to take a full 30 seconds to remove your saved Web passwords–during which time a speedy user with access to your device could still log in to those sites.