This is hitting just before NAB and I think we'll see it addressed by many stakeholders in the next two weeks. If you never view MOV files then I don't see the harm of leaving it installed and waiting for more information. However, I did just check to make sure it wasn't the default player for anything.
I don't know what happens when you start Vegas without quicktime installed, but I DO use DVCProHD MOV files on a regular basis so I personally can't just uninstall quicktime.
Also, this news is kind of more like third parties saying "Vulnerabilities are appearing, Apple isn't patching it, everyone should uninstall it." None of this is information from Apple.
Are there any security holes in Quicktime Alternative?
Probably but unknown.
wrote on 4/17/2016, 7:59 AM
I have a client that provides source material (:30 and :60 TV spots) that are usually MOV files. I just "tag" these spots with their localized information then output the results as MP4 files for local / regional media distribution.
And it appears that Apple no longer updates or supports the Windows QT driver / platform -- regardless of security issues. So, I have uninstalled the QT driver from my system and I will let my client know that I can no longer offer production services that involve MOV / QT files. They'll have to find a Mac based production vendor or a PC based vendor that doesn't mind leaving their computer system(s) open to potential security issues.
BTW - Even without QT on my system I can convert an MOV to MPG / MP4 / etc using Handbrake if I just HAVE to complete a project with an MOV file as a source file.
> "They'll have to find a Mac based production vendor or a PC based vendor that doesn't mind leaving their computer system(s) open to potential security issues."
The vulnerability was found in the QuickTime Player. It has nothing to do with the QuickTime codec that handles MOV files. All you needed to do was delete the player .exe file and you are safe. You don't have to loose business over it. That's a bit drastic.
wrote on 4/17/2016, 9:44 AM
I did quite a bit of internet research about this topic before deciding to remove QT from my system. And, interesting enough, I didn't see a single reference to the security issue being just the QT player and that it was the ONLY component that was vulnerable to the unpatched flaw.
Where did you discover this information? It would certainly be a useful tidbit of knowledge for us NLE users out there that aren't too familiar with anything Apple related.
In my case, the client in question only needs the production service using MOV files once or twice a year and I only bill for a couple of hours, so it's no big deal for me one way or the other, so I can certainly live without QT.
"... Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the "
Apparently it's a vulnerability in the Player that a malicious file would need to exploit. I don't see how working with MOV files in Vegas Pro would cause any harm which is how most Vegas Pro users leverage QuickTime..
wrote on 4/17/2016, 3:45 PM
Thanks for the link. I had actually read that article, but the majority of the statements in the article follow suit with its title: "Urgent Call to Action: Uninstall QuickTime for Windows Today"
It doesn't say delete "player.exe" -- it says uninstall QuickTime for Windows -- very pointedly and repeatedly...
But, that being said, I see in the comments that the author did reply to a comment stating, "Yes, this is about the actual QuickTime player and not the codecs." But, he followed that up with, "I understand the question, unfortunately that's something that Apple and/or Microsoft will have to answer authoritatively."
Anyway, for the time-being I've uninstalled QT and may re-install it at a future date if need be.
In fact, I've just about decided to go ahead and allow MS upgrade my system to Windows 10 -- so, QT will just be one less thing to worry about going haywire after transition ;-)
wrote on 4/17/2016, 4:07 PM
the articles are misleading. They are making it sound like Apple is telling you to uninstall it, and I can't find any statement like that on Apple support.
What they actual quote from the Cnet page is "follow Apple's guidance.." and then they link to a guide of how to uninstall. I think this is a case of the sky is falling.
Apple is dropping support. As JR mentioned, the security loopholes are specific.
(note a little sales pitch on the Trend Micro page
"Our TippingPoint customers have been protected against these two vulnerabilities since November 24, 2015 with filters 21918(ZDI-CAN-3401) and 21919(ZDI-CAN-3402)."
> "the articles are misleading. They are making it sound like Apple is telling you to uninstall it, and I can't find any statement like that on Apple support. "
As I said in the other thread (I wish we didn't have to have two threads on the same topic) :(
Not to detract from the fact that there is a vulnerability that COULD be exploited (but hasn't yet and may never be) but it is in the best interest of anti-virus companies to spread fear and panic so that customers buy their products. I would take the potential impact with a "grain of salt" judging it's coming from a company that has everything to gain from fear mongering.
In my professional opinion, the appropriate response would be to warn the public and recommend that people be careful not to download a malicious files (which is what you need to do in order be affected by this... nothing is going to come and attack you... you need to initiate the attack by downloading and playing a malicious file). Not to completely uninstall a multi-media subsystem that may break other products on their computer that rely on it.
If you are working with MOV files from your camera or rendering to MOV for your customers, you have absolutely nothing to worry about. I'm guessing many of you are still using Windows XP. That is a far greater threat to your security than QuickTime is. ;-)
I don't know if this is going to be as easy as we think. I use Vegas Pro 12. My primary camera is a BMPCC which produces ProRes .MOV files for me.
I just removed QuickTime 7 to test this and tried to open a recent project that uses the .MOV files that I normally work with. After removing Quicktime 7 I was unable to successfully open the test project. Vegas gave me the option of reconnecting to the missing files but even when I did search and reconnect the files I was not able to open the project.
This would indicate to me that Vegas Pro 12 needs to have Quicktime installed for me to be able to work with the .MOV files that my camera generates. Or does anyone see another option for me that possibly only involves having the Quicktime Codecs installed without actually having to have QuickTime 7 installed?
Once Quicktime is installed, you can delete or rename the suffix of the QuicktimePlayer.exe file, you should be able to get the benefits of the codecs without being expose to the vulnerability of the player itself.
> "This would indicate to me that Vegas Pro 12 needs to have Quicktime installed for me to be able to work with the .MOV files that my camera generates. Or does anyone see another option for me that possibly only involves having the Quicktime Codecs installed without actually having to have QuickTime 7 installed?"
There was a package called QuickTime Alternate that had non-Apple codecs. I'm not sure if it supports ProRes. Like I said, if you are only using QuickTime to process your camera's ProRes files you have nothing to worry about.
BTW, my previous advice to rename for delete the QuickTime player manually doesn't seem to work. In the "other" thread on this topic it has been reported that Vegas Pro requires the QuickTime Player.exe be available.
In the "other" thread on this topic it has been reported that Vegas Pro requires the QuickTime Player.exe be available.
VMP and I both reported this.
A clarification is in order. There are some encodings (mp4, for example) that Vegas can (probably, I didn't actually test but I think others have) decode even if it's wrapped in quicktime. There are other encodings like ProRes, DVCProHD.mov via Raylight Decoder, Animation Codec, etc that require the quicktime player. So, this is simple enough to test. Just rename the "QuickTimePlayer.exe" to something else and then open Vegas and try it. If it throws an error then you still need the quicktime player.
In the mean time let's hope SCS can tell us whether they plan to address this. They might feel that they shouldn't if they see Vegas as EOL.
Just wanted to follow on my particular situation (using Vegas Pro 12 with BMPCC ProRes .mov files). If I rename or delete QuickTime Player.exe I am faced with the same problem as when I completely uninstall Quicktime - I can no longer open any of my BMPCC projects in Vegas Pro 12. So the only way I can keep using my current workflow is to keep Quicktime installed on my machine. Hopefully, there will eventually be a fix for this.
Yep. Prores is a custom mpeg4 profile written to an .mov format. That mov header says to use QT. No way around this inside vegas. You will have to live with the threat, or change your workflow to something that does not use .mov