Electronics & Computers Deals here!
Input managers strike again: Security Update 2008-002, printing and Instant Hijack
[Wednesday, March 19th]
UPDATE: Rogue Amoeba has now released an update for Instant Hijack that resolves this issue.
No matter how many times we recommend the removal of input managers (at the very least before installation of major system updates and preferably altogether), and how many significant issues they cause, users, pundits and select developers will continue to defend and make use of these add-ons.
To reiterate, Input Managers reach right into an application and alter its code. This puts the behavior of the affected application outside the control and responsibility of its developers: a recipe for troubleshooting problems. That's not to say that issues absolutely will ensue as a result of Input Managers, but you, as a user, must do some cost/benefit analysis. If the functionality of a specific Input Manager or set thereof proves crucial, you may well choose to assume the associated risk.
Regardless, the problematic potential of input managers was demonstrated again this week when dozens if not hundreds of users lost their ability to print after applying Security Update 2008-002. Our previously mentioned fix, re-applying the Mac OS X combo updater, worked for many, but others had to remove "Instant Hijack," a component of Rogue Amoeba's Audio Hijack Pro and... surprise!: an Input Manager.
You can uninstall Instant Hijack, which is located in /usr/local/hermes from the Install Extras... window under the Audio Hijack Pro menu in Audio Hijack Pro.
Most other input managers are located in the the following directories:
- /Library/InputManagers
- ~/Library/InputManagers
and we recommend removing them all. Especially prior to system updates (they can always be added back one-by-one later). But advice is just advice.
Feedback? Late-breakers@macfixit.com.
Resources
Thats what I do- I never have had a problem with these 'Security Updates'
The problem is not installing software with input managers active; no one's claiming that they hack the Installer to do bad things. The problem is booting later with the input managers active.
The problem is that most "input managers" aren't anything of the sort?they use that format so they can load inside an application and directly patch its binary code (i.e., adding toolbar items to Safari, adding menu items to Finder, intercepting keystrokes in all applications). When the binary code that they're trying to patch changes behind their back?such as when Safari gets updated?the "input manager" code is now patching the wrong thing, leading to crashes and intrigue.
Input Managers were designed to let international developers and users create ways to use non-standard (as in, non-ASCII) keyboards to input non-Roman text. The system loads them into all applications that use Cocoa, even a little bit (like using the Font Panel, for example, or WebKit) and calls upon them to provide input from whatever sources they find. Since they load into every app and get an initialization call, though, people have been using them as a way to hack into any application over the objections of security and protected memory.
To get around this problem, their developers have taken to calling them "plug-ins," as if they conformed to some standard plug-in architecture. There are no "Safari plug-ins" other than those in your "Internet Plug-Ins" folder (i.e., Flash, QuickTime, DivX). That's the only plug-in architecture Safari has.
Booting in "Safe mode" before you install won't solve the problem, because the problem is that these patches load again into new versions of code when you stop booting into "safe mode." Running in "safe mode" solves the problem, but makes your system far less useful.
Not having previously seen the advice about removing Imput Managers before applying updates, I immediately experienced not being able to print after applying the latest security update.
I then deleted all imput managers from my libraries as well as used File Buddy to find all instances of Instant Hijack.
After deleting all files and restarting my G4, I still cannot print. I tried to apply the combo updater as suggested but it would not install, saying that my hard drive did not meet the necessary requirements.
---
Too much time, too many headaches....
Did you restart your machine?
Make sure the Combo updater you use, is the same version as the version of OS X that's currently installed on your Mac (that may seem obvious, but it should still be mentioned); and, make sure you're using the right type of Combo updater for your Mac (Intel vs PPC, etc.).
Instant HiJack 2.03 fixed this issue too:
What's New in 2.0.3
- Fixed crash in ssh and related commands when using Mac OS X 10.5 (Leopard) with Apple Security Update 2008-002
That should be "Audio Hijack Pro 2.8.1", not "Instant Hijack Pro 2.81"--Instant Hijack is a separate InputManager that you can opt to have Audio Hijack Pro install. AHP 2.8.1 will install Instant Hijack 2.0.3, the fixed version, if you ask it to.
And, as I've mentioned before, the best designed Input Managers, like Saft, disable themselves if the code they need to patch has been changed.
What seems necessary, therefore, are two things: One, developers of Input Managers need to implement the necessary fail-safes to keep their products from patching the wrong code; and two, those who use Input Managers should take the simple precaution of creating the appropriate Disabled folders so they can more easily test their Input Managers when trouble does occur.
Though Unsanity haxies have come in for the same kind of criticism as Input Managers, Unsanity sets a standard for best practices; the latest version of their Application Enhancer turns off any plug-ins that are not compatible with the installed version of the OS. And when their plug-in installers run, they create a list of files installed so you know - if you bother to read the list - just what was installed and where. This may be impractical for large applications, like Microsoft Office, which install thousands of files. But they could, at least, inform you of major changes they make. Office '08, for instance, rearranges fonts in the /Library/Fonts and ~/Library/Fonts folders, disabling a large number of fonts as it installs updated versions in the /Library/Fonts/Microsoft folder. While, in practice, this is a good idea, preventing potential font conflicts, the installer doesn't warn you it's going to do this, leaving the user to stumble across this major system modification on their own - as I did.
I realize this is a sidetrack, but it illustrates the larger problem, that many, if not all, application installations can potentially cause trouble - if not because they hack the system, then because they implement some feature badly. Indeed, the preponderance of evidence on, if not the very existence of, MacFixIt demonstrates that this is so. Input Managers have come in for particular opprobrium, but they are hardly the only bad actors out there.
The best that can be said, therefore, is caveat emptor.
---
Don't anthropomorphize computers.
They hate that.
---
|
| slur was here
|
The "Fixmac" software you suggest can disable $100 worth of software on this machine alone. If Macfixit guys will fill 700 highly secure, randomised passwords for me or code a patch for Safari source to make use of mouse gestures, I am all OK for disabling them. :)
- by Ilgaz March 20, 2008 5:20 AM PDT
- Input Managers are no more a security or stability problem on Leopard since Leopard ignores Input Managers in users home directory. It doesn't even care about them at first place.
- Like this Reply to this comment
-
(13 Comments)On Tiger or anything pre-Leopard, Input Managers in users home directory can simply be secured by making the "Input Managers" in Users home directory "owned by Administrator" so no rogue input managers (if exists) can be installed without prompting user for Password.
There are some great software exists thanks to Input Managers _technology_, NOT a bug and by suggesting non technical people to delete their Input managers, you are breaking them, the software people (sometimes) has paid for. Sometimes that software could have a very serious critical job to do such as filling passwords or help disabled people use "mouse gestures".
Anyway, I am really tired of telling same thing over and over on macfixit. I am a VT Pro subscriber anyway, not subscribed to here.