Quicktime security and flaws...

set wrote on 4/15/2016, 12:39 AM
Recently noticed this article news feed in FB:
http://gizmodo.com/even-homeland-security-wants-you-to-uninstall-quicktime-1771130093
Even Homeland Security Wants You to Uninstall Quicktime for Windows

Sony Vegas requires QT for all MOV file supports, but I rarely using it for playback...
I guess it is not a thing that we have to concern?

Set

Comments

VMP wrote on 4/15/2016, 1:21 AM
I too am curious from other users if we can uninstall quicktime, I never use it, having VLC and WM player.

Couldn't we somehow just install the codec of quicklime that Vegas needs and uninstall the rest?

Edit: I just found this: https://en.wikipedia.org/wiki/QuickTime_Alternative
"QT Lite is a stripped-down version of QuickTime Alternative that contains only the base components, and does not install"

That seem to be just the codec, without the rest of quicktime, I just came across it so I am looking more into it.

VMP
set wrote on 4/15/2016, 3:57 AM
Hi VMP...

Set check your link, it is broken.
Thank you VMP. the link code has been corrected.




I divide two different lines and it causing error. Link has been corrected.
monoparadox wrote on 4/15/2016, 8:17 AM
I very rarely use QT in Vegas. I do believe however, that Hitfilm Pro required me to install QT to use all its features.

-- tom
relaxvideo wrote on 4/15/2016, 10:55 AM
I'm sad.
Often i use HD timeline -> frameserved to virtualdub superior resize to dvd, and frameserved to Procoder for creating HQ mpeg2 files.
Problem is Procoder cannot even start without QT :(
VMP wrote on 4/15/2016, 5:03 PM
Before I uninstall QT I would like to know from other 'Vegas Experts' out here what you are going to do.

Did anyone of you find a way to just install the necessary codec and remove the rest which is 'unsafe'?

Did you look into 'quicktime light'? https://www.google.com/#q=quicktime+light

Before I install that I would like some more feedback from you guys.

VMP
rmack350 wrote on 4/15/2016, 5:39 PM
This is hitting just before NAB and I think we'll see it addressed by many stakeholders in the next two weeks. If you never view MOV files then I don't see the harm of leaving it installed and waiting for more information. However, I did just check to make sure it wasn't the default player for anything.

I don't know what happens when you start Vegas without quicktime installed, but I DO use DVCProHD MOV files on a regular basis so I personally can't just uninstall quicktime.

Also, this news is kind of more like third parties saying "Vulnerabilities are appearing, Apple isn't patching it, everyone should uninstall it." None of this is information from Apple.

Rob
VMP wrote on 4/15/2016, 6:17 PM
Indeed rmack350

I am keeping it installed for a while till we know more.
I am going to try to install the codec only in another PC to see if that is enough for Vegas.

VMP
fldave wrote on 4/16/2016, 12:15 AM
I haven't submitted videos for iStock/Getty for a while, I need to see what other formats they accept. Use to be only MOV.

Digging through the articles to the source, it seemed to be the standard "xxx company isn't updating software yyyy anymore, so it's dangerous and you need to abandon it"-type of useless warning.
PeterDuke wrote on 4/16/2016, 12:47 AM
Are there any security holes in Quicktime Alternative?

Probably but unknown.
Former users wrote on 4/17/2016, 7:59 AM
I have a client that provides source material (:30 and :60 TV spots) that are usually MOV files. I just "tag" these spots with their localized information then output the results as MP4 files for local / regional media distribution.

And it appears that Apple no longer updates or supports the Windows QT driver / platform -- regardless of security issues. So, I have uninstalled the QT driver from my system and I will let my client know that I can no longer offer production services that involve MOV / QT files. They'll have to find a Mac based production vendor or a PC based vendor that doesn't mind leaving their computer system(s) open to potential security issues.

BTW - Even without QT on my system I can convert an MOV to MPG / MP4 / etc using Handbrake if I just HAVE to complete a project with an MOV file as a source file.

Jim
JohnnyRoy wrote on 4/17/2016, 8:35 AM
> "They'll have to find a Mac based production vendor or a PC based vendor that doesn't mind leaving their computer system(s) open to potential security issues."

The vulnerability was found in the QuickTime Player. It has nothing to do with the QuickTime codec that handles MOV files. All you needed to do was delete the player .exe file and you are safe. You don't have to loose business over it. That's a bit drastic.

~jr
Former users wrote on 4/17/2016, 9:44 AM
I did quite a bit of internet research about this topic before deciding to remove QT from my system. And, interesting enough, I didn't see a single reference to the security issue being just the QT player and that it was the ONLY component that was vulnerable to the unpatched flaw.

Where did you discover this information? It would certainly be a useful tidbit of knowledge for us NLE users out there that aren't too familiar with anything Apple related.

In my case, the client in question only needs the production service using MOV files once or twice a year and I only bill for a couple of hours, so it's no big deal for me one way or the other, so I can certainly live without QT.

Thanks.
JohnnyRoy wrote on 4/17/2016, 3:28 PM
> "Where did you discover this information? It would certainly be a useful tidbit of knowledge for us NLE users out there that aren't too familiar with anything Apple related."

I was documented in the original Trend Micro blog:

"... Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the "

Apparently it's a vulnerability in the Player that a malicious file would need to exploit. I don't see how working with MOV files in Vegas Pro would cause any harm which is how most Vegas Pro users leverage QuickTime..

~jr
Former users wrote on 4/17/2016, 3:45 PM
Thanks for the link. I had actually read that article, but the majority of the statements in the article follow suit with its title: "Urgent Call to Action: Uninstall QuickTime for Windows Today"

It doesn't say delete "player.exe" -- it says uninstall QuickTime for Windows -- very pointedly and repeatedly...

But, that being said, I see in the comments that the author did reply to a comment stating, "Yes, this is about the actual QuickTime player and not the codecs." But, he followed that up with, "I understand the question, unfortunately that's something that Apple and/or Microsoft will have to answer authoritatively."

Anyway, for the time-being I've uninstalled QT and may re-install it at a future date if need be.

In fact, I've just about decided to go ahead and allow MS upgrade my system to Windows 10 -- so, QT will just be one less thing to worry about going haywire after transition ;-)

Jim
Former users wrote on 4/17/2016, 4:07 PM
the articles are misleading. They are making it sound like Apple is telling you to uninstall it, and I can't find any statement like that on Apple support.

What they actual quote from the Cnet page is "follow Apple's guidance.." and then they link to a guide of how to uninstall. I think this is a case of the sky is falling.

Apple is dropping support. As JR mentioned, the security loopholes are specific.

(note a little sales pitch on the Trend Micro page

"Our TippingPoint customers have been protected against these two vulnerabilities since November 24, 2015 with filters 21918(ZDI-CAN-3401) and 21919(ZDI-CAN-3402)."
PeterDuke wrote on 4/18/2016, 1:25 AM
As I have said in another thread, Vegas 9 and below need QT for MOV and MP4 but Vegas 10 and above do not.
JohnnyRoy wrote on 4/18/2016, 6:45 AM
> "the articles are misleading. They are making it sound like Apple is telling you to uninstall it, and I can't find any statement like that on Apple support. "

+1

As I said in the other thread (I wish we didn't have to have two threads on the same topic) :(

Not to detract from the fact that there is a vulnerability that COULD be exploited (but hasn't yet and may never be) but it is in the best interest of anti-virus companies to spread fear and panic so that customers buy their products. I would take the potential impact with a "grain of salt" judging it's coming from a company that has everything to gain from fear mongering.

In my professional opinion, the appropriate response would be to warn the public and recommend that people be careful not to download a malicious files (which is what you need to do in order be affected by this... nothing is going to come and attack you... you need to initiate the attack by downloading and playing a malicious file). Not to completely uninstall a multi-media subsystem that may break other products on their computer that rely on it.

If you are working with MOV files from your camera or rendering to MOV for your customers, you have absolutely nothing to worry about. I'm guessing many of you are still using Windows XP. That is a far greater threat to your security than QuickTime is. ;-)

~jr
Kurt8 wrote on 4/18/2016, 7:31 AM
I don't know if this is going to be as easy as we think. I use Vegas Pro 12. My primary camera is a BMPCC which produces ProRes .MOV files for me.

I just removed QuickTime 7 to test this and tried to open a recent project that uses the .MOV files that I normally work with. After removing Quicktime 7 I was unable to successfully open the test project. Vegas gave me the option of reconnecting to the missing files but even when I did search and reconnect the files I was not able to open the project.

This would indicate to me that Vegas Pro 12 needs to have Quicktime installed for me to be able to work with the .MOV files that my camera generates. Or does anyone see another option for me that possibly only involves having the Quicktime Codecs installed without actually having to have QuickTime 7 installed?

Kurt
Steve Grisetti wrote on 4/18/2016, 7:56 AM
Once Quicktime is installed, you can delete or rename the suffix of the QuicktimePlayer.exe file, you should be able to get the benefits of the codecs without being expose to the vulnerability of the player itself.
JohnnyRoy wrote on 4/18/2016, 10:43 AM
> "This would indicate to me that Vegas Pro 12 needs to have Quicktime installed for me to be able to work with the .MOV files that my camera generates. Or does anyone see another option for me that possibly only involves having the Quicktime Codecs installed without actually having to have QuickTime 7 installed?"

There was a package called QuickTime Alternate that had non-Apple codecs. I'm not sure if it supports ProRes. Like I said, if you are only using QuickTime to process your camera's ProRes files you have nothing to worry about.

BTW, my previous advice to rename for delete the QuickTime player manually doesn't seem to work. In the "other" thread on this topic it has been reported that Vegas Pro requires the QuickTime Player.exe be available.

~jr
rmack350 wrote on 4/18/2016, 12:04 PM
In the "other" thread on this topic it has been reported that Vegas Pro requires the QuickTime Player.exe be available.

VMP and I both reported this.

A clarification is in order. There are some encodings (mp4, for example) that Vegas can (probably, I didn't actually test but I think others have) decode even if it's wrapped in quicktime. There are other encodings like ProRes, DVCProHD.mov via Raylight Decoder, Animation Codec, etc that require the quicktime player. So, this is simple enough to test. Just rename the "QuickTimePlayer.exe" to something else and then open Vegas and try it. If it throws an error then you still need the quicktime player.

In the mean time let's hope SCS can tell us whether they plan to address this. They might feel that they shouldn't if they see Vegas as EOL.

Rob
Kurt8 wrote on 4/18/2016, 2:28 PM
Just wanted to follow on my particular situation (using Vegas Pro 12 with BMPCC ProRes .mov files). If I rename or delete QuickTime Player.exe I am faced with the same problem as when I completely uninstall Quicktime - I can no longer open any of my BMPCC projects in Vegas Pro 12. So the only way I can keep using my current workflow is to keep Quicktime installed on my machine. Hopefully, there will eventually be a fix for this.

Kurt
astar wrote on 4/18/2016, 3:03 PM
Yep. Prores is a custom mpeg4 profile written to an .mov format. That mov header says to use QT. No way around this inside vegas. You will have to live with the threat, or change your workflow to something that does not use .mov