The ISC rates this critical OSX security update asĀ “PATCH NOW” and more information can be found at:

Apple OS X – Critical security update for October 2011
http://isc.sans.org/diary/Critical+OS+X+Vulnerability+Patched/11797

QUOTE: With today’s focus on the release of iOS 5, and people worldwide refreshing the UPS shipping status page to check if the iPhone 4S left Hong Kong or Anchorage yet, a patch released for OS X Lion (10.7) came in under the radar. In addition to bringing us iCloud support and a good number of other security related patches, one issue sticks out as SUPER CRITICAL, PATCH NOW, STOP THAT iOS 5 DOWNLOAD.

The exploit can be implemented in a line of javascript, and will launch arbitrary programs on the user’s system. It does not appear that the attacker can pass arguments to the software, which may make real malicious exploitation a bit hard, but I am not going to wait for an improved proof of concept to proof me wrong.