Under The Microscope

Security Update 2008-002 Compatibility Fix

Apple released Security Update 2008-002 yesterday and this led to a problem for some users on Mac OS X 10.5 using our Instant Hijack component. The Instant Hijack component is optionally installed by Airfoil, Audio Hijack Pro, and Nicecast, and enables these applications to grab audio from applications that are already running. Following the Security Update, ssh and some related programs would crash when they were run on Mac OS X 10.5 machines with Instant Hijack installed.

The Fix

First up, the fix – we’ve posted updates to Audio Hijack Pro (now at version 2.8.1), Airfoil (now at version 3.1.3), and Nicecast (now at version 1.9.2).

Each of these updates contains the updated Instant Hijack, version 2.0.3, which will resolve the issue. When you first run any of the aforementioned applications, you’ll be prompted to update your copy of Instant Hijack (provided you have an old version installed). Do so, and you’ll be good to go.

The Problem

So, what caused this issue? This was due to a bug in Instant Hijack and is related to a new security feature in Leopard called position-independent executables (PIE). PIE is related to address space layout randomization. The basic effect is to move programs such as ssh to a different place in memory each time they start, making it more difficult for an attacker to exploit them.

Position-independent executables were available in Leopard from the start, and Instant Hijack was written to take them into account. However, nothing on the system actually used this facility when Leopard shipped. That changed with Security Update 2008-002, which includes a copy of ssh and related utilities which were compiled using PIE. At that point, we discovered that Instant Hijack’s PIE support didn’t work correctly.

Instant Hijack’s PIE support expected the program to be loaded at a random address. However, Leopard’s PIE implementation loads a program’s executable code into memory, and then moves it to a new, random address. Instant Hijack briefly inspects each process as it launches, in order to catch those that produce audio. On something like ssh, it exits very early, but that was enough to cause an issue here. Instant Hijack was left looking for the executable code in the original but since-vacated spot, and this triggered a crash.

Summary

Fortunately, the fix to Instant Hijack was relatively quick and we’ve updated all of our affected software. If you use Audio Hijack Pro, Airfoil, or Nicecast, grab the latest update and install the newest Instant Hijack component. Once you do, you’ll be all set.

22 Responses to “Security Update 2008-002 Compatibility Fix”

  1. Todd M says:

    “… Leopard’s PIE implementation loads a program’s executable code into memory, and then moved it to a new, random address”

    I just had a couple of questions regarding this:
    1. You say ‘moved;’ are you saying this is how leopard acted before the 2008-002 update, or how it did and does act?

    2. Can you cite a reference for this? Or some method of testing that statement?

  2. Jon says:

    I’ve just been prompted to upgrade my version of Airfoil but the updater seems to download and install 3.1.2 again, (and again, and again).

    Is this just because 3.1.3 is not quite ready yet?

  3. Jack says:

    This is also being claimed as the cause of breaking printing. See this Apple discussion board thread at users
    Vinayak Vatsal comment:
    http://discussions.apple.com/thread.jspa?threadID=1448337

  4. frederic udina says:

    For me, like for Jack, updating airfoil to 3.1.3 do not work. I got 3.1.2 again and again
    I’ve lost today three hours or more on this stupid bug from Airfoil/Hijack. That by far more than the $25 it costed me.

  5. Quentin Carnicelli says:

    Jack – That may be because as well as ssh, cupsd is also PIE’d. The complete list of PIE’d processes (that I’ve found so far) is as follows: scp, sftp, slogin, ssh, ssh-add, ssh-agent, ssh-keygen, ssh-keyscan, sshd, cupsd

  6. Mike Ash says:

    Jon and frederic udina: There was a problem when posting the new version to the updater, this should now be fixed.

    Todd M: To the best of my knowledge, the behavior of PIE apps in Leopard has not changed since it was released. However, Leopard simply didn’t include any PIE programs before this security update, so it was never encountered. As far as verification, if you check the state of the ssh process after the kernel loads it but before dyld begins to execute, you’ll find the executable image in the “standard” location, and then if you’ll examine it later, such as from gdb or a crash log, you’ll find that it’s in a new location.

  7. Steven Fisher says:

    Is this the source of ALL the “ssh is crashing for some people, but not all” reports? Ouch.

  8. Mike says:

    “Instant Hijack briefly inspects each process as it launches, in order to catch those that produce audio. On something like ssh, it exits very early…”

    I’m curious why it runs at all for ssh or similar, never-gonna-make-a-peep processes. Would it be simpler to “quietlist” processes that have no sound outputs on a permanent basis?

  9. Glenn Fleishman says:

    Rogue Amoeboids, could you please learn to use diff for program updates? Download 10 MB of code via the built-in updater routine for each micro-version seems excessive.

  10. Developer says:

    @Glenn – binary patching updaters suck. They are a support nightmare. I don’t wish them on anyone. (Mac OS X introduces even more complications for actually producing an updater too.)

  11. Tony Lawrence says:

    Well, the interesting thing is that we’ve learned that Apple is starting to make use of PIE.. might have been some time before that was noticed if IH wasn’t looking at ssh..

  12. Mike Ash says:

    Steven Fisher: It’s probably too early to tell if this is the source of all of these reports, but it strikes me as likely.

    Mike: It’s a tradeoff in attempting to reduce our impact on programs as much as possible. By inspecting nearly everything, we can hold off on loading the big hijacking code until an app really does start producing audio. We could have a never-touch-this list for things like ssh, but such a list would add complication, and it would probably end up being used only after trouble had been identified and fixed anyway. In making such a list originally, I probably wouldn’t have thought to include ssh on a master list of essential processes which must not be touched, so the end result would have been the same.

  13. Dan says:

    Thanks for fixing the problem so fast. You guys rock. I use Airfoil 3 everyday. It’s a fantastic app and you just keep making it better. You have won yourselves a customer for life.

  14. Nike Vatsal says:

    Hi,

    Is the updated version of Instant Hijack available for users of Airfoil 2.1? I have not upgraded to version 3.

    Also, is the instant Hijack component shared with Audio Hijack Pro? I have AHP version 2.81, and was wondering if I could just install the Instant Hijack component from there.

    Thanks in advance!

  15. Paul Kafasis says:

    Nike: You can install from Audio Hijack Pro, yes. Instant Hijack is indeed shared across all the apps.

    As for Airfoil 2, we’ve posted v2.1.1 with the fix on our Legacy page.

  16. Simon Townley says:

    How does one uninstall Instant Hijack? Sorry, but I think I want it off my system.

  17. Mike Ash says:

    Under the application menu, select Install Extras. Then select the Instant Hijack tab, and if it is already installed, the button at the bottom right will allow you to uninstall it.

  18. Geoff Greer says:

    J Greely: Any program that runs as your user can read ~/.ssh/id_* and send it to whoever. Stealing your private keys doesn’t require process inspection.

  19. J Greely says:

    Geoff, I’m sure you don’t think you’re dodging the issue, but reading the contents of the .ssh directory is useless without also intercepting my passphrases, which you’d need a keylogger for (or a malicious program that uses the same hook Instant Hijack does…). Yes, some people’s passphrases can be brute-forced, but that’s an unrelated problem.

    You’re right in one respect, though: if I discovered that an application was poking around in .ssh, it would also go onto the banned list, and I’d force everyone who ran it to create new keys after it was scrubbed from their machines.

    -j

  20. Jeff says:

    Printing was fixed with the Hijack update however I am also having trouble with Panic’s Transmit. I installed the new update and now the Transmit problem is different– getting a connection timed out, server hung up error. Does anyone know anything about this?

  21. Stuart says:

    I spent AGES trying to fix the print problem on my Mac, messing up my configuration and doing things that I was very uncomfortable with as I urgently needed to be able to print (none of them worked).

    Why did you not email your customers to let them know of this issue when it came to light?

    Are you planning to email them?

    Will you email them in future if such an issue arises again?

  22. Paul Kafasis says:

    Stuart, we’re certainly sorry you experienced a problem. Hopefully, you’re all set now.

    As for emailing, this really never even crossed our minds. For most customers, this information would be either redundant, not useful in the first place, or just ignored. It would be a huge waste of time for nearly everyone. Does Apple email you when an issue is discovered? I’ve certainly never received such an email. Email’s just not a vector that’s generally used to inform users of bug fixes, by anyone.

    We issue updates as quickly as possible, and we post info here for all to read. We also do our best to make it as easy as possible to update our software, which can be done right in the app. Just as with Mac OS X, it’s best to always be running the very latest versions, of everything.


Comments for this post have been closed. Thanks for reading!