Apple has released a security patch for a vulnerability in its iSync application bundled with the OS X operating system. But it took the vendor at least three months to release the fix.

The iSync application allows users to synchronise data such as mp3 files, address book entries or calendar appointments between a PC and mobile devices such as iPods, mobile phones or PDAs.

The patch released on Tuesday is identified as Security Update 2005-004. It followed one month after update 2005-003.

The flaw makes iSync's mRouter tool vulnerable to a buffer overflow attack. Users with local access to affected systems could then gain super-user privileges.

Apple computers running OS X version 10.2.8 through to the current version 10.3.9 are susceptible to the bug.

The flaw was discovered by Braden Thomas, an independent developer of security software and a member of the University of Southern California's Digital Security Interest Group.

Thomas went public about the security hole on 22 January, and had notified Apple even earlier. In an email to vnunet.com, Thomas explained that "three months is a long time to fix the bug".

"I was surprised that [Apple] did not include a fix in Security Update 2005-003," he wrote. "In fact, an AppleFileServer DoS bug I discovered that was disclosed in February was fixed by Update 003."

Apple did not respond to a request to provide further information about the time it took to issue the fix.