Landon Fuller, the former Apple engineer who coordinated fixes for January's "Month of Apple Bugs" project, has said he plans to continue to release fixes for zero-day Mac OS X bugs.
Fuller and a few other developers released their temporary fixes using Application Enhancer, which can modify the behaviour of other programs. Application Enhancer was itself then targeted by a MOAB flaw.
MOAB Fixes was modelled on the Zeroday Emergency Response Team (ZERT) , which releases patches for flaws that have been publicly disclosed but for which there isn't yet an official patch - in other words, "zero-day" security bugs. Both Fuller and ZERT argue vendor patches are preferable, but that a quick, temporary fix is better than nothing.
"Where a critical, high-risk 'zero-day' issue exists, and is practical to patch, I plan on continuing to provide patches beyond the Month of Apple Bugs," Fuller said in a blog post. He said he would continue to coordinate patching via the newsgroup.
The MOAB Fixes effort addressed its first non-MOAB bug on 20 January, when Sun warned of a Java bug that wasn't immediately fixed by Apple, which is responsible for maintaining Java on Mac OS X.
"It is apparent from my observations of the FreeBSD Java project that preparing and testing a new Java release is an expensive and time consuming process," Fuller wrote at the time. "I decided to release a temporary patch for the issue until Apple can release an official update."
That experience gave Fuller the idea of continuing MOAB Fixes beyond January, and the notion has received some support from those helping develop temporary patches.
Developer William Carrel said last week he hoped the effort could help improve relations between Apple and the security industry. "Talented folks volunteering to lend OS X programming/reversing skills where available to a project like ZERT could be a real win," he wrote on the newsgroup. He noted that ZERT is more focused on Windows.
One problem with continuing might be possible bad relations with the notoriously touchy Mac user community, Carrel said. "It wouldn't hurt the Mac community to have this too, that is as long as the user community can deal with the situation in a way that doesn't include shooting the messenger or decrying 'unofficial' fixes," he wrote.