Apple on Monday released Mac 0S x 10.5.4, which includes patches for 25 security holes, many of which could be exploited to execute arbitrary code.

The flaws -- rated "highly critical" by tracking firm Secunia -- are spread out across a number of operating system components: Alias Manager, Core Types, C++filt, Dock, Launch Services, Net-SNMP, Ruby, SMB File Server, System Configuration, Tomcat, VPN and WebKit.

The largest number of holes -- nine -- reside in Tomcat, an application server that that executes Java programs used to create dynamic web pages. Additionally, the update fixed six flaws in the open-source Ruby programming language.

Apple additionally plugged a memory corruption vulnerability relating to the handling of JavaScript in Safari 3.

Apple apparently did not fix a vulnerability in its ARDAgent (Apple Remote Desktop) that allows programs to run as root due to an error in the processing of AppleScripts, a Mac programming language. The hole gave rise to an alleged in-the-wild trojan.