Quicktime for Windows officially EOL

[poisondeathray]

http://www.extremetech.com/computing/226894-apple-confirms-quicktime-for-windows-is-de...and-hard-place

critical vulnerabilities / security risks not going to be patched
http://www.toptechnews.com/article/index.php?story_id=101005UMU0ZS

[smrpix]

They've been freaking out about this on the Avid forum for days.

If you need quicktime you can uninstall it then reinstall with only the core components. The exploits are both based on manipulating the moov atom of online media. To date no one has actually maliciously used the exploit.

[drjtech]

Bad news for some Adobe Creative Cloud users.

Adobe warns that uninstalling vulnerable QuickTime for Windows can break Creative Cloud

[racer-x]

I wonder if they will incorporate open source alternatives like ffmpeg?

[aedipuss]

apple is allowing active critical exploits that they have been aware of for 6 months to go unpatched forever. what a bunch of f'ing morons, all it takes with one of them to infect a computer with them is to visit a website. and if you need apple prores in your video work flow you're out of luck because prores codecs will no longer work on the windows platform without quicktime.


i deleted all apple crap off my computers. my web development computers don't even have safari anymore. i don't give a hoot if my websites don't work with safari, they can use a different browser. if someone sends me prores to work with i'll tell them to convert that crap themselves.

[Cornucopia]

Adobe doesn't really do opensource much. However, this isn't quite a "the sky is falling" situation, like it is being advertised.

First: Quicktime 7.x API has been deprecated for a number of years now, so the writing's been on the wall and most people have got their act together. Adobe has just been slow to finalize things, though they have done some transitioning already.

Second: The vulnerability seems to be in how malicious code could piggyback inside the mov atom (header), but this really only affects DECODING, and mainly affects the Web plugin. One could very easily remove the web plugin (both by disabling it in FF, and/or deleting the DLL, and/or uninstalling QT).

Third: If you vet your files (can verify that they all come from trusted known-good sources), this is a non-issue. If you don't, and you still need access to the wide variety of codecs in MOV files, a simple solution is TRANSCODING to a safe codec & container via ffmpeg, LAV filters, etc. Or SANDBOXING in a VM, frozen PC or isolated bench PC. Or convert on a Mac to safe PC formats.

Fourth: As I found out earlier this spring when trying to troubleshoot an issue with 64bitPPTwin2010 and MOV/MP4 playback, the best solution (besides upgrading to 2013 or using a Mac) is to use LAV filters for decoding & playback of ALL mov files (since it seems to work with the vast majority of QT codecs, is FOSS, runs faster than QT, and works in both 32bit and 64bit spaces), so you can completely eliminate QT for both PPT, web, and standalone playback. It hooks into Dshow, so there is no Apple code involved.

Fifth: The main stumbling block with Adobe usage is the industry reliance on ProRes. I say: either boycott Apple/ProRes, or encode to Lossless AVI/MKV/MXF, and/or only use a Mac or reverse-engineered FOSS PC mov encoders, or wimp out and license the ProRes code to encode directly. Since YOU (the user) are creating the file, you know it isn't compromised with a virus.

Again, maybe it's time to put Apple's "my way or the highway", N.I.H. bullying tactics out on the mat and demand they: open up 3rd party codecs to AVfoundation, port the AVfoundation (QT X) over to 64bitWindows PCs (and keep it code-current), release AVfoundation as opensource, and/or allow ProRes (etc) decode to follow a fair and open reference model (so 3rd party encoders can make encodes that are compliant and playable in Macs) along the lines of MPEG. If they won't, the industry should embrace MOX or a similar open MOV format replacement.

Scott

[SameSelf]

Thanks pdr.

"A user would have to visit a malicious Web page or open a malicious file to exploit either of the vulnerabilities. Each vulnerability would execute code in the security context of the QuickTime player"

That provides some perspective on what this vulnerability entails. IOW, vulnerabilities are just as much about the exploit as they are about user behavior q.v. imaging a virgin build, embracing format c:, keeping your video workstation off the web, moving all your content to WORM storage, etc.

With the rise of 4K, ProRes feels dated anyway. I, for one, welcome our new XAVC overlords.

[aedipuss]

LOL that needs a bit of re-wording. try "all a user would have to do is visit a malicious web page to have their computer infected with any trojan, virus, or pay to unlock all your files malware" is more accurate.

[SameSelf]

Haha, not my wording. I just pulled out from pdr's linked article. But yes, all malware requires the cooperation of the user. That's why some people are virus magnets. You know who they are. I have met more than my share.

[macsnapper]

So how will all the DSLR users and iPhone users edit their .mov video if their NLE depends on QuickTime libraries being installed? (Worried!)

[aedipuss]

all my canon dslr mov files still import and work in vegas pro 13 and premiere pro just fine with no apple software on the computers.

[macsnapper]

Thank aedipuss -
good to know

[racer-x]

You can also edit your mov files in any Video editor that uses ffmpeg. Aviutl is a good example, as are all Linux Video editors I've tried.