04 Jan 2007, 23:15 PST

Answers to the most frequently asked questions

Q. Are patches cumulative? Do I need to install more than one APE?

A. The patches are cumulative -- each new version contains all the previous fixes (including improvements and bug fixes), plus the new fix. If a vendor releases a fix, we'll remove the patch from the APE bundle.

Q. When does a patch take effect? How do I know if I'm protected?

A. Application Enhancer will apply new fixes when an application is restarted. If you've just installed Application Enhancer for the first time, I suggest logging in/out, or restarting your computer.

Q. How can I determine what patch version I have installed?

A. The current version is displayed under the APE name in the Application Enhancer preference pane. The version corresponds to the day -- today is January 4th, and the APE version is 4.0.

Q. Do you support Panther? What operating systems are supported?

A. Unfortunately, only Tiger. I don't have the resources or time to test anything other than Mac OS X 10.4.8.

Q. What happens when the vendor (eg, Apple, VLC) releases a fix?

A. All of the patches are keyed to specific software versions, and the patches are applied at runtime -- the on-disk files are never modified. When a new release of the vulnerable software is installed, the patch will not apply itself. The APE can also be removed at any time by clicking the "-" button in the Application Enhancer preference pane.

Q. How can I contribute?

A. You are encouraged to join the MOAB Fixes group.

I'd also like to apologize to everyone whose e-mail I haven't yet been able to answer personally. I promise I'll reply, it may just take me a couple days.

Month of Apple Bugs - Day 4

04 Jan 2007, 22:18 PST

Friends to the Rescue

Today's update was masterfully implemented by Finlay Dobbie, William Carrel, and the members of the MOAB Fixes Google Group.

Finlay solved today's Month of Apple Bugs issue -- a format string vulnerability in iPhoto's Photocast support. His patch guards the -[SubscribedAlbum registerPublishError:withTitle:] method, escaping all occurances of '%' in the title argument. -[SubscribedAlbum registerPublishError:withTitle:] passes the title directly to [NSString localizedStringWithFormat:].

William Carrel has skillfully updated the fix for the Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability to use a whitelist exclusion method -- QuickTime movies will only permit http, https, and ftp URLs in the HREFTrack.

You can download the source, or a pre-built binary. As always, you'll need to install Application Enhancer to use this -- once it's installed, simply double-click on the Moab bundle to install the patch.