Apple's latest OS X download includes a PackageKit patch to thwart potential "man-in-the-middle attacks."
Available for: Mac OS X v10.6 through v10.6.5, Mac OS X Server v10.6 through v10.6.5
Impact: A man-in-the-middle attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: A format string issue exists in PackageKit's handling of distribution scripts. A man-in-the-middle attacker may be able to cause an unexpected application termination or arbitrary code execution when Software Update checks for new updates. This issue is addressed through improved validation of distribution scripts. This issue does not affect systems prior to Mac OS X v10.6. Credit to Aaron Sigel of vtty.com for reporting this issue.
Apple pushed the patch out along with Mac OS v10.6.6, which delivered the Mac App Store.