There are four crash bugs which leads to memory corruption. If the user had root privileges then an attack could execute code with those privileges. 

Same-Origin is a concept that relates to sscripting in web pages, this allows for the access of scripts originating from the same site to access each others methods and variables without limits. One involves Adobe Flash plug-in. This can allow attackers to execute scripts under the context of a legitimate web site, using cross site scripting (XXS) or cross-site request forgery (CSRF). 

It is recomended that this upodate be installed. 

Update on Wednesday, April 29, 2009 at 07:39AM by drStrangeP0rk

New problems introduced by fixes in update 3.0.9 require an update to 3.0.10 including a crash bug and a memory corruption vulnerability that may be exploitable. Make sure to check for updates when opening Firefox. (There is alos a No-Script update that should be installed as well.) It is always recommended that the home/soho user(s) set Auto-Update to check everyday for updates. For larger organizations the selection should be based on their patch and update policy. 

Six kernel vulnerabilities have been published which affect Mac OSX including 5 which can be used to exploit 10.5.6. They can be view on Milw0rm.com, see the link to the Apple specific exploits on the sidebar. These exploits can also affect Solaris kernels and FreeBSD. FreeBSD has been patched, Mac OSX has not as of yet.

Issue one exploits a remote heap overflow in AppleTalk network stack. The second and third exploits a memory leak which can cause the kernel to run out of memory. The fourth exploit relates to HFS vfs sysctl flaw which allows for a global variable to be altered without locking the mutual exclusion object (mutex). Mutex is used to allow multiple program threads to share resources, this is done by locking the mutex from other threads. In this case the locking process does not happen causing a potential of memory corruption.

The last has been know for some time, it relates to the HFS I/O control (IOCTL) handler. User supplied code can be inserted and executed with kernel level privileges. 

This affects MS Office SP3 2000, 2002, 2003 and MS Office 2004 Mac. An attacker can gain access to the user rights of systems running Microsoft Office Mac 2004 using specially crafted content in a PowerPoint document. This can be accomplished by sending the file to a unsuspecting user or downloading it from a site. The attacker can behave as the compromised user.

Again, user education is key to preventing this kind of attack. Only open documents from trusted sources, use MOICE (Windows OS) and do not open earlier versions of MS Office files. Since Office files are .ZIP files containing meta and content data it is important that trust policies be reiterated to users, namely if an Office document comes from an unknown source do not open it. This is also true of ICal files, mail, QT, etc. Never perform task such as email, office activities or web surfing as a system administrator or root. 

No updates at this time, see MS reference article attached for mitigation options.

Update on Wednesday, May 13, 2009 at 08:22PM by drStrangeP0rk

Microsoft has posted an update related to Windows versions of Office but has not updated versions related to Mac Office as of today. The Mac version has not been found by them in the wild.

http://www.microsoft.com/technet/security/bulletin/MS09-017.mspx