Apple has issued security updates for the Safari browser on Mac OS. All of the vulnerabilities are in the WebKit browser engine in Safari and many other programs.
The update fixes 27 vulnerabilities, 26 of which could lead to remote code execution. The 27th could allow a program running arbitrary code (such as one which exploited one of the first 26 vulnerabilities) to read arbitrary files despite sandbox restrictions.
As is often the case with Apple security updates, many of the vulnerabilities have been publicly known for some time. The oldest in this group is CVE-2013-2871, was reported in May 2013 and patched in Google Chrome in July.
The Google Chrome security team was involved in reporting 15 of the vulnerabilities. Google has announced that they will move away from WebKit, at least from the official distribution, but they are still affected by many of the problems in it.