Two days ago, Apple released iPhoto 7.1.2 to patch a format string vulnerability that was found and reported by Ernst & Young researcher Nate McFeters.

The language in the advisory from Apple sounds pretty scary:

A format string vulnerability exists in iPhoto. By enticing a user to subscribe to a maliciously crafted photocast, a remote attacker may cause arbitrary code execution. This update addresses the issue through improved handling of format strings when processing photocast subscriptions.

Whenever I see remote and code execution in the same sentence, I get nervous.

[ALSO SEE: QuickTime Under Seige: Another Zero Day Exploit Released]

I've been hitting Software Update repeatedly on my MacBook for the last 36 hours and here's what Apple tells me:

I'm running iPhoto 6.0.6 (322) on this machine so this is definitely an out-of-date version of the software. What gives?

While I'm at it, what's the status of the one-month-old QuickTime RTSP flaw that also brings code execution risk?

UPDATE: Turns out this update is only available for iPhoto '08 7.1 (iLife '08). I'm running iLife '06 (6.0.x), and therefore, a fix isn't available for me.

Problem is, I don't know for sure (does Apple?) that iLife '06 isn't affected.

ANOTHER UPDATE: Via Twitter, Rich Mogull has a better explanation:

It's a web gallery vuln, which isn't a feature in iPhoto 6.

Phew. I'm now thinking Apple's bulletins desperately need a "not affected" section.

Also see: Technical details on the bug from Nate McFeters.