Posted By Rogue Amoeba Alumni on March 19th, 2008

Apple released Security Update 2008-002 yesterday and this led to a problem for some users on Mac OS X 10.5 using our Instant Hijack component. The Instant Hijack component is optionally installed by Airfoil, Audio Hijack Pro, and Nicecast, and enables these applications to grab audio from applications that are already running. Following the Security Update, ssh and some related programs would crash when they were run on Mac OS X 10.5 machines with Instant Hijack installed.

The Fix

First up, the fix – we’ve posted updates to Audio Hijack Pro (now at version 2.8.1), Airfoil (now at version 3.1.3), and Nicecast (now at version 1.9.2).

Each of these updates contains the updated Instant Hijack, version 2.0.3, which will resolve the issue. When you first run any of the aforementioned applications, you’ll be prompted to update your copy of Instant Hijack (provided you have an old version installed). Do so, and you’ll be good to go.

The Problem

So, what caused this issue? This was due to a bug in Instant Hijack and is related to a new security feature in Leopard called position-independent executables (PIE). PIE is related to address space layout randomization. The basic effect is to move programs such as ssh to a different place in memory each time they start, making it more difficult for an attacker to exploit them.

Position-independent executables were available in Leopard from the start, and Instant Hijack was written to take them into account. However, nothing on the system actually used this facility when Leopard shipped. That changed with Security Update 2008-002, which includes a copy of ssh and related utilities which were compiled using PIE. At that point, we discovered that Instant Hijack’s PIE support didn’t work correctly.

Instant Hijack’s PIE support expected the program to be loaded at a random address. However, Leopard’s PIE implementation loads a program’s executable code into memory, and then moves it to a new, random address. Instant Hijack briefly inspects each process as it launches, in order to catch those that produce audio. On something like ssh, it exits very early, but that was enough to cause an issue here. Instant Hijack was left looking for the executable code in the original but since-vacated spot, and this triggered a crash.

Summary

Fortunately, the fix to Instant Hijack was relatively quick and we’ve updated all of our affected software. If you use Audio Hijack Pro, Airfoil, or Nicecast, grab the latest update and install the newest Instant Hijack component. Once you do, you’ll be all set.