Apple iPhoto versions prior to 6.0.6 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.
The vulnerability is due to a format string error in the handing of data supplied by a photocast. An unauthenticated, remote attacker could exploit the vulnerability by convincing a targeted user to view a malicious photocast with a crafted title. If the targeted user views the photocast, a format string error could occur that might allow the attacker to execute arbitrary code with the privileges of the user running iPhoto.
Proof-of-concept code is publicly available.
Apple has confirmed this vulnerability and released software updates.
Apple has released a security advisory at the following link: APPLE-SA-2007-03-13 iPhoto 6.0.6
Apple has released software updates that can be installed using the Software Update pane in System Preferences.