Apple released Security Update 2010-006 Monday, a patch that fixes one security issue with Apple Filing Protocol (AFP) in Mac OS X 10.6.4. The issue was a serious one that could allow the bad guys to take over a Mac with file sharing turned on under certain circumstances.
Apple’s patch notes:
Security Update 2010-006
AFP
CVE-ID: CVE-2010-1820
Available for: Mac OS X v10.6.4, Mac OS X Server v10.6.4
Impact: A remote attacker may access AFP shared folders without a valid password
Description: An error handling issue exists in AFP Server. A remote attacker with knowledge of an account name on a target system may bypass the password validation and access AFP shared folders. By default, File Sharing is not enabled. This issue does not affect systems prior to Mac OS X v10.6. Credit to Richard Noll for reporting this issue.
You can download the update through Software Update. The download is 951KB.