Friday, April 15, 2016 [Tweets] [Favorites]

Apple Stops Patching QuickTime for Windows Despite 2 Active Vulnerabilities

Apple:

If you no longer need QuickTime 7, here’s how to remove it from your PC.

They don’t say why you might want to do this, though.

Juli Clover:

The Department of Homeland Security’s U.S. Computer Emergency Readiness Team today issued an alert recommending Windows users with QuickTime installed uninstall the software as new vulnerabilities have been discovered that Apple does not plan to patch.

Christopher Budd:

First, Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.

Second, our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability. And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.

Dan Goodin:

The retirement of QuickTime for Windows has been in the planning stages for at least a few months, and possibly much longer. Apple has never supported QuickTime for Windows 8 or 10, although some users found ways to work around the restriction. What’s more, the January update removed the browser plugin for QuickTime, making it impossible for video on websites to seamlessly play in a user’s browser. As a result, there’s little chance QuickTime vulnerabilities could be harnessed into a drive-by download exploit. Instead, exploits would have to rely on social engineering that convinces a user to download a video and open it in QuickTime.

Even so, Apple officials should have shown the courtesy to tell Windows users QuickTime was no longer receiving security updates, rather than leaving it to Trend Micro.

Rosyna Keller:

As for Adobe apps needing QuickTime on Windows, there’s also irony there. All indications were that Apple didn’t tell Adobe until everyone else found out. The same thing happened when Apple announced during a Carbon WWDC session that 64-bit HIToolbox was cancelled. This was the first time Adobe or anyone else learned about the cancellation.

Apparently, Lightroom 6 for Windows relies on QuickTime.

Update (2016-04-16): Nick Heer:

It’s easy enough to uninstall QuickTime, but a surprising number of programs on Windows list it as a dependency, including GoPro Studio and Cubase to run, and Premiere Pro, After Effects, and Traktor for various features.

Pierre Lebeaupin:

As far as users go, the average user now has a number of alternatives, starting with VLC, but there are a number of people working on Windows in media and media-related industries who will miss having a reference media player on their machine (iTunes’ just not the same thing). However, software developers who were still building against the QuickTime SDK and relying on QuickTime being installed on Windows should have seen it coming for some time: the writing has been on the wall for QuickTime for Windows since QuickTime X in 2009, when there was no corresponding update on the Windows side, which stayed on QuickTime 7.

Update (2016-04-19): Adobe (via Rosyna Keller):

Adobe has worked extensively on removing dependencies on QuickTime in its professional video, audio and digital imaging applications and native decoding of many .mov formats is available today (including uncompressed, DV, IMX, MPEG2, XDCAM, h264, JPEG, DNxHD, DNxHR, ProRes, AVCI and Cineform). Native export support is also possible for DV and Cineform in .mov wrappers.

Unfortunately, there are some codecs which remain dependent on QuickTime being installed on Windows, most notably Apple ProRes. We know how common this format is in many worfklows, and we continue to work hard to improve this situation, but have no estimated timeframe for native decode currently.

Update (2016-05-26): David McGavran:

Today we’re pleased to announce that Adobe has been able to accelerate work that was already in progress to support native reading of ProRes. This new capability is fully licensed and certified by Apple, and barring any unforeseen issues during pre-release, these fixes will be included into an update to the relevant products in Creative Cloud shortly.

Additionally, we are planning on adding native export support to .mov wrapped files of DNxHD and DNxHR. This shows our commitment to the DNxHD/DNxHR codecs. This support augments our currently supported import of DNxHD and DNxHR in .mov and .mxf and native export in .mxf. Similarly, in an effort to allow as many legacy files to be supported as possible we will also be supporting the reading of AAC Audio and PNG Compressed frames and the reading/writing of Animation frames.

When these fixes are released most Windows users will have a seamless workflow for virtually all popular codecs even with QuickTime removed from the computer; however, we do anticipate that some older, less used legacy formats may not be directly supported and therefore no longer be accessible. Users may need to find a method of transcoding their legacy media.

Comments

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment