The flaws fixed in OS X Lion include a problem with Time Machine, which could enable a remote attacker to access a user’s backup credentials, and an issue with Directory Service, which could allow a remote attacker to obtain sensitive information.
“Multiple issues existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to disclose memory from its address space, potentially revealing account credentials or other sensitive information. This issue does not affect OS X Lion systems. The Directory Server is disabled by default in non-server installations of OS X”,
Apple explained in its security update.
In addition, Apple plugged holes in Bluetooth, curl, HFS, ImageIO, Kernel, libarchive, libxml, PHP, Quartz Composer, QuickTime, Ruby, and Samba, as well as a FileVault flaw that could expose user passwords.
The Safari update fixed four vulnerabilities and disabled older versions of the Adobe Flash Player plugin. “Users who wish to reinstall a disabled version of Flash Player can do so by following Apple’s instructions, but they would be much better off downloading a new version immediately from the Adobe web site”, explained Intego in its Mac Security blog.