Another flaw affects Quicktime Streaming Server on some versions of OS X and could allow attackers to use malicious RTSP (Realtime Streaming Protocol) requests to trigger a buffer overflow on the server. Other holes would allow attackers to use e-mail messages, Macromedia Flash files or malicious Web shortcuts to take control of Mac systems.

Ferris told InfoWorld there were still holes in Safari, QuickTime, and the iTunes application that he reported to Apple but were not patched in the latest release. He did not publish details of those holes on his Web site in April, but he described them as critical flaws that allow remote code execution.

Ferris said he is considering releasing the details of the unpatched holes on May 14 on his Web site (http://www.security-protocols.com/). He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence.

Compared with Apple's release, Microsoft's May security patch was small. The software giant posted three security bulletins -- two of them rated "critical" that covered five vulnerabilities.

Security experts have been weighing in on Apple security more frequently in recent months, as critical flaws in the OS X operating system and Safari browser and viruses and Web based attacks targeting Mac systems have made headlines.