Date: Sat, 07 Mar 2009 12:02:48 +0100
http://www.rogueamoeba.com/utm/2008/03/19/security-update-2008-002-compatibility-fix/
works for me
attaching content.
Security Update 2008-002 Compatibility Fix
March 19th, 2008
Apple released Security Update 2008-002 yesterday and this led to a
problem for some users on Mac OS X 10.5 using our Instant Hijack
component. The Instant Hijack component is optionally installed by
Airfoil, Audio Hijack Pro, and Nicecast, and enables these
applications to grab audio from applications that are already running.
Following the Security Update, ssh and some related programs would
crash when they were run on Mac OS X 10.5 machines with Instant Hijack
installed.
The Fix
First up, the fix - we’ve posted updates to Audio Hijack Pro (now at
version 2.8.1), Airfoil (now at version 3.1.3), and Nicecast (now at
version 1.9.2).
Each of these updates contains the updated Instant Hijack, version
2.0.3, which will resolve the issue. When you first run any of the
aforementioned applications, you’ll be prompted to update your copy
of Instant Hijack (provided you have an old version installed). Do so,
and you’ll be good to go.
The Problem
So, what caused this issue? This was due to a bug in Instant Hijack
and is related to a new security feature in Leopard called position-
independent executables (PIE). PIE is related to address space layout
randomization. The basic effect is to move programs such as ssh to a
different place in memory each time they start, making it more
difficult for an attacker to exploit them.
Position-independent executables were available in Leopard from the
start, and Instant Hijack was written to take them into account.
However, nothing on the system actually used this facility when
Leopard shipped. That changed with Security Update 2008-002, which
includes a copy of ssh and related utilities which were compiled using
PIE. At that point, we discovered that Instant Hijack’s PIE support
didn’t work correctly.
Instant Hijack’s PIE support expected the program to be loaded at a
random address. However, Leopard’s PIE implementation loads a
program’s executable code into memory, and then moves it to a new,
random address. Instant Hijack briefly inspects each process as it
launches, in order to catch those that produce audio. On something
like ssh, it exits very early, but that was enough to cause an issue
here. Instant Hijack was left looking for the executable code in the
original but since-vacated spot, and this triggered a crash.
Summary
Fortunately, the fix to Instant Hijack was relatively quick and we’ve
updated all of our affected software. If you use Audio Hijack Pro,
Airfoil, or Nicecast, grab the latest update and install the newest
Instant Hijack component. Once you do, you’ll be all set.
Posted by Mike Ash | Permalink
-Alexis
On Mar 7, 2009, at 1:41, Arun Gupta wrote:
> Thomas,
>
> I'm getting 404 on this page but would love to know the information.
> I tried couple of browsers but the same result. Can you please
> confirm the URL ?
>
> Thanks,
> -Arun
>
> glassfish_at_javadesktop.org wrote:
>> To answer my own post: a couple more hours of googling showed that
>> the problem is with a utility called Airfoil, in particular it's
>> "Instant Hijack" component. I was apparently running an old
>> version, that was buggy. For a description of the problem, see
>> http://www.rogueamoeba.com/utm/2008/03/19/security-
>> update-2008-002-compatibility-fix/
>> Udating to the newest version fixed the crashes.
>> [Message sent by forum member 'tmaeder' (tmaeder)]
>> http://forums.java.net/jive/thread.jspa?messageID=335563
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
> --
> Application Platform, Sun Microsystems, Inc.
> Blog: http://blogs.sun.com/arungupta
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
(image/png attachment: 20080319security.png)