Apple Computer has released its second major security update in as many weeks, fixing 20 bugs in the "Jaguar" version of the Mac OS X operating system. The most serious of the flaws could allow remote attacks, Apple said.

This week's patch is designed for desktop and server versions of OS X 10.3.9, an update released in mid-April as Apple geared up for the launch of OS X 10.4, nicknamed Tiger. Software vendors often patch a large number of bugs in new software releases, then issue a patch fixing the same bugs in older versions of the product.

The flaws patched this week are more serious than those addressed by the April patch, with some of the new bugs allowing remote attackers to run malicious code on a user's system. A buffer overflow in Apache's htdigest program could be triggered via a CGI application to allow remote system compromise, Apple said.

An integer overflow in AppKit could allow for malicious code execution via malformed TIFF images; two flaws in the libXpm library could allow code execution via another image format, XPM, although Apple noted that libXpm isn't installed by default.

A bug in the Foundation framework's handling of an environment variable could result in a buffer overflow, allowing the execution of code, Apple said. Help Viewer could be commandeered by remote attackers to run Javascript without the usual security restrictions. A buffer overflow in NetInfo's Setup Tool (NeST) could also allow remote code execution.

Other flaws are not so serious, allowing attacks by local users, or allowing users to escalate their privileges. Affected programs include AppleScript, Bluetooth, Directory Services, Finder, LDAP, lukemftpd, Server Admin, sudo, Terminal and VPN, Apple said in its advisory, available here. Apple has been criticised in the past for playing down security problems, but has improved in recent months, according to security experts.

Patches are available through the Mac's built-in software update system or from Apple's Web site. Independent security firm Secunia gave the flaws a "highly critical" rating.

Separately, some software makers have reported that some networking applications don't work properly with Tiger, blaming changes to the operating system core, or kernel. Cisco said last week that its VPN client wouldn't work with Tiger. This week vendors such as Thursby Software, Microsoft, Lobotomo Software and Equinux said that some of their VPN and networking software is either completely or partly broken by Tiger, according to reports. Apple has said it is working with vendors on fixes.