According to News.com, security researcher Kevin Finisterre at Digital Munition has released "attack code" to the public that can locally exploit the launchd daemon.
"Attackers may exploit this issue to execute arbitrary code with elevated privileges," Symantec said in a security alert to customers that was updated on Thursday.
The code affects Mac OS 10.4.0 - 10.4.6 (excluding the recently released 10.4.7 and 10.3.x). The same researcher also created a proof-of-concept Bluetooth exploiting worm earlier this year. According to News.com, his actions are in part to show that Apple software is not unbreakable.
Also mentioned in the article is that iTunes 6.0.5 is quietly patching an AAC parsing flaw.
Parsing a maliciously-crafted AAC file could cause iTunes to terminate or potentially execute arbitrary code. iTunes 6.0.5 addresses this issue by improving the validation checks used when loading AAC files.
