Apple bug fixer may extend project

Landon Fuller, the developer behind January's Apple bug-fixing project, may expand the initiative to address Mac zero-day vulnerabilities in the future
Written by Tom Espiner, Contributor

The developer behind the Month of Apple Fixes is considering continuing the project to provide "zero-day patches" for critical issues affecting Mac OS X users in the future.

Landon Fuller was an engineer in Apple's BSD Technology Group, and one of the principal architects of the Darwin Ports project.

Fuller started the Month of Apple Fixes (MOAB Fixes) project in response to the Month of Apple Bugs (MOAB) project, which promised to feature a new Apple software bug for each day in January.

MOAB has now finished, but Fuller is keen to expand the MOAB Fixes initiative into a project similar to the Zero-day Emergency Response Team (ZERT). ZERT is a group of engineers and security experts from industry, community and incident response groups that offers unofficial patches during malware crises.

"Perhaps [it could be] the Mac OS equivalent to ZERT," Fuller told ZDNet blogger Ryan Naraine.

While Fuller and the MOAB Fixes group maintain that a vendor-supplied update is always preferable to a third-party patch, the group may continue the initiative to give Mac users a choice.

"This is more about providing the option, as well as fixing the issues for our own use," Fuller said.

Throughout the MOAB project, Fuller and a group of volunteers — mostly close friends — collaborated on a Google Group to respond to each reported issue with a runtime fix. The group spent between two and eight hours a day coding and testing the fixes but didn't patch kernel bugs because, as Fuller explained to Naraine, "the cost for a mistake in a kernel patch is very high".

Fuller initially suggested extending the project on 19 January, when the idea was met with cautious approval by the other members of the project.

Developer William A Carrel said: "There certainly seems to be utility in projects such as ZERT, which seems to be Windows-focused. Most open-source projects already have a thriving community which can deal with these things. It wouldn't hurt the Mac community to have this too, that is as long as the user community can deal with the situation in a way that doesn't include shooting the messenger or decrying 'unofficial' fixes."

Editorial standards