Well I wouldn't expect to see anything about this in the next "Hello I'm a PC, and I'm a Mac" commercials that my wife seems to find so hilarious so I decided to make sure I pointed it out...  SecurityFocus just published an article about a new vulnerability in the Mac OS that could cause some real heartache for the user community.  From the article:

When OS X checks for new updates, it first contacts swscan.apple.com
to receive the XML catalog file. This file references the distribution
definition files, which can reside on another server. Software Update
receives these files and calls some of the JavaScript functions to check,
if the update is suited for the local machine.

The catalog file and the distribution definition files are both received
using HTTP without any authentication. By running a malicious update server,
it is possible to provide distribution definition files, which execute
arbitrary commands using JavaScript on the remote machine requesting the
update.

I think it's kind of ironic that in order to get the patch for this vulnerability you have to expose yourself to the actual vulnerability you are trying to protect yourself against.  In any case I'm not trying to rub Apple's nose in it...  This kind of thing can happen to every OS.