Q. Are patches cumulative? Do I need to install more than one APE?
A. The patches are cumulative -- each new version contains all the previous fixes (including improvements and bug fixes), plus the new fix. If a vendor releases a fix, we'll remove the patch from the APE bundle.
Q. When does a patch take effect? How do I know if I'm protected?
A. Application Enhancer will apply new fixes when an application is restarted. If you've just installed Application Enhancer for the first time, I suggest logging in/out, or restarting your computer.
Q. How can I determine what patch version I have installed?
A. The current version is displayed under the APE name in the Application Enhancer preference pane. The version corresponds to the day -- today is January 4th, and the APE version is 4.0.
Q. Do you support Panther? What operating systems are supported?
A. Unfortunately, only Tiger. I don't have the resources or time to test anything other than Mac OS X 10.4.8.
Q. What happens when the vendor (eg, Apple, VLC) releases a fix?
A. All of the patches are keyed to specific software versions, and the patches are applied at runtime -- the on-disk files are never modified. When a new release of the vulnerable software is installed, the patch will not apply itself. The APE can also be removed at any time by clicking the "-" button in the Application Enhancer preference pane.
Q. How can I contribute?
A. You are encouraged to join the MOAB Fixes group.
I'd also like to apologize to everyone whose e-mail I haven't yet been able to answer personally. I promise I'll reply, it may just take me a couple days.
Today's update was masterfully implemented by Finlay Dobbie, William Carrel, and the members of the MOAB Fixes Google Group.
Finlay solved today's Month of Apple Bugs issue -- a format string vulnerability in iPhoto's Photocast support. His patch guards the -[SubscribedAlbum registerPublishError:withTitle:] method, escaping all occurances of '%' in the title argument. -[SubscribedAlbum registerPublishError:withTitle:] passes the title directly to [NSString localizedStringWithFormat:].
William Carrel has skillfully updated the fix for the Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability to use a whitelist exclusion method -- QuickTime movies will only permit http, https, and ftp URLs in the HREFTrack.
You can download the source, or a pre-built binary. As always, you'll need to install Application Enhancer to use this -- once it's installed, simply double-click on the Moab bundle to install the patch.