QuickTime For Windows - Security Alerts and What They Mean

  • Dear Community,

    Like everyone out there, we were surprised to see the news not only that there were two security flaws in Windows, but that Apple has apparently told Trend Micro that they will deprecate QuickTime for Windows. I know this raises fears in the Windows users of Isadora, so let's take a moment to analyze the situation.
    As it says a [slashdot](https://apple.slashdot.org/story/16/04/15/0326219/apple-deprecating-quicktime-for-windows-micro-trends-urges-users-to-uninstall), "Usually when a vendor deprecates a software product and stops releasing security updates, they provide some sort of advance notice that they're intending to do so. The least we would expect is for them to announce an unexpected end-of-life themselves." It adds that "Apple told Trend Micro -- but apparently nobody else -- that they have deprecated Quicktime for Windows." 
    So, It is important to emphasize that no developers we know of, including ourselves, had any advance warming of Apple's intention to deprecate Quicktime. If it is indeed true, this is very disheartening behavior by Apple. Also, we have it on the word of Trend Micro that Apple is discontinuing QuickTime for Windows, but no word from Apple themselves.
    With regard to the specific security alerts, to be attacked by these requires specific user interaction. Just having QuickTime installed will not, in of itself, make you vulnerable.
    In the first security alert, [ZDI-16-241](http://zerodayinitiative.com/advisories/ZDI-16-241/), you have to open a movie (.mov) file that has been crafted by an attacker to do execute arbitrary code. So, in this case, if you are creating your own content, using QuickTime Player, or Premiere or Media Express, you have nothing to worry about from these files. You'd have to receive a .mov file from someone or download it from somewhere else and open it for this attack to happen.
    In the second alert, [ZDI-16-242](http://zerodayinitiative.com/advisories/ZDI-16-242/), it says "User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file." So, it would seem that if QuickTime if you don't open files that you do not recognize, you are not at risk. Furthermore, if it would seem to us that if you disable QuickTime in your web browser, that you are not vulnerable in that way. (This is an assumption on my part; I need to do a bit more checking to prove that my assumption is correct here.)
    Note that in the security alert announcements above, they indicate that you can protect yourself from these threats using the "TippingPoint™ IPS Customer Protection" If you click that link, you'll see that TippingPoint was acquired by TrendMicro. I do not say this to persuade you that the threats above are not real or serious; they are most certainly real. But simply to say, it is in the best interest of TrendMicro to get you worried.
    So, I would offer this: as it says in the Hitchhikers Guide to the Galaxy, "Don't Panic." 
    We will move as quickly as we can to determine our course of action for Isadora for Windows. But we will need a bit of time to calmly evaluate the situation and see what our next steps are. In the meantime, read the security alerts above, pay attention to ways in which you can expose yourself to risk, and avoid those situations as we seek a solution here at TroikaTronix. Otherwise, your only option is to uninstall QuickTime and stop using Isadora until we come up with a solution.
    Mark Coniglio