QuickTime for Windows vulnerability



  • So it looks like Windows users should take extra precautions as QuickTime is a necessity. https://www.us-cert.gov/ncas/alerts/TA16-105A It seems that there were a couple of vulnerabilities discovered four months ago by Trend Micro and so far Apple hasn't responded that there are plans on fixing them. Ugh.



  • Apple has indeed responded and indicated that they will not fix them. We at TroikaTronix were as surprised as anyone at the announcement by Apple that they would not only not fix these bugs, but discontinue QuickTime entirely. This is obviously something that requires serious consideration on our part, and we're getting the team together to talk it over and consider our options.

    I also am unsure how vulnerable these sort of security holes makes one. That's something I need to understand more deeply as well.
    We'll be monitoring the situation. But for now, if you wish to continue using Isadora, you will need to keep QuickTime installed. There isn't any other workaround at this time.
    Best Wishes,
    Mark


  • Dear All,

    Please read the following about the security alerts.
    http://troikatronix.com/troikatronixforum/discussion/2663/quicktime-for-windows-security-alerts-and-what-they-mean#latest
    Best,
    Mark


  • Thank you.



  • I'm surprised that the Windows world is still using Quicktime so heavily. I'm wondering why this is an Apple issue and not a Microsoft issue? Presumably the arbitrary code would have to be on the target machine before running an 'infected' QT movie could execute it?   I'm surprised that Windows 10 would allow such penetration and Microsoft couldn't fix the issue in the OS by sandboxing? I haven't use Windows for over a decade but thought they were ahead of Apple in terms of sandboxing and protecting from such attacks.

    Having read the security alerts it does seem that several stars have to be in alignment for someone to become vulnerable and most people could carry on as normal with slightly more caution.


  • @Unfenswinger,

    Well, so far, no comment at all from either Apple or Microsoft. Maybe they're figuring out what it means as well.
    Best,
    Mark


  • For Windows users, how do we start Isadora without Quicktime installed?  My IT department felt that Quicktime must be uninstalled from all machines and now Isadora won't start (as it says that it must have Quicktime to operate and that I must download it first).  I am running the latest version, 2.2.2.



  • Dear @dgaddy,

    There is no way to start Isadora on Windows without QuickTime installed. We are working towards removing reliance on QuickTime completely, but this is not going to be an overnight affair. Like all developers (including big ones like Adobe) Apple blindsided us with this – no end of life announcement was made until they were faced with these security announcements. We will deal with this as soon as we can, but you can expect it to take some time – probably not until July at the earliest.
    Please read my notes on the threat here:
    http://troikatronix.com/troikatronixforum/discussion/2663/quicktime-for-windows-security-alerts-and-what-they-mean#latest
    If, after reading that, you feel removing QuickTime is necessary, then you will not be able to run Isadora until we release the new version that does not rely on QuickTime.
    Sincerely,
    Mark


  • Mark.  I understand the challenges that Apple has put on you and other developers.  I was hoping for a work around.  IT for the company blindsided me by just removing QuickTime, preventing me from using Isadora and some other programs.  With some others, I can use the program, just nothing which would require QuickTime.  I will work with my IT department to see if they will allow it on the machine running Isadora.



  • @mark, this just posted by Adobe. Don't know if it's useful to you, but thought I'd share... http://blogs.adobe.com/creativecloud/apple-quicktime-on-windows-update/


Log in to reply
 

Looks like your connection to TroikaTronix Community Forum was lost, please wait while we try to reconnect.