Jump to content

QuickTime for Windows - Depreciated with Security Risk


You are about to reply to a thread that has been inactive for 2050 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Hello hello!

Today I bring news of Apple's QuickTime, knowing that some in the SL community still rely on some handling from this application for certain types of media (MOV, OGG etc) . I know that for media compatibility I often had to download QuickTime as a stand-alone just to get some streams to work and to get plug-ins for my browser (I don't know if all of this is still necessary in modern versions of Windows).

Anyway! Apple have released info on two critical zero-day flaws (ZDI-16-241 and ZDI-16-242) in their QuickTime application under Windows. They say that QuickTime support has been quietly depreciated. This means that bugs will not be patched, Windows systems running QuickTime will remain vulnerable.

Trend Micro are advising Windows users to uninstall QuickTime to reduce possible attack vectors.

As this pertains to SL, I think it might just be a good idea that if you've been around a while (or you've been using SL on the same PC for some years) or know that you still use QuickTime, that you check whether or not your system has this installed and have a think about whether the benefits outweigh the potential costs.

Best of luck! Some sources follow!

--

Uninstallation instructions located [here]

Information from the US Computer Emergency Readiness Team [here]

 

Link to comment
Share on other sites

Quicktime also comes bundled with the viewer...

I'm really curious if LL are going to remove Quicktime support from their viewer & if TPV's will do the same.

You can play QuickTime media with a CEF enabled viewer without Quicktime actually being installed on the system.

Actually I was wrong there.

After blitzing Quicktime from my Windows 7 box, Quicktime media will no longer play on either the LL viewer or Firestorm viewer.

I can see the viewer bundled quicktime plugin launches in my viewer logs, but the media screen remains white.

newview/llviewermedia.cpp(2112) : 2016-04-15T20:37:48Z INFO: LLViewerMediaImpl::loadURI: Asking media source to load URI: http://ia802606.us.archive.org/34/items/TheFastandtheFuriousJohnIreland1954goofyrip/TheFastandtheFuriousJohnIreland1954goofyrip_512kb.mp4
llcommon/llprocess.cpp(731) : 2016-04-15T20:37:48Z INFO:#LLProcess LLProcess::LLProcess: SLPlugin.exe (3512): launched cd "C:\Program Files (x86)\FirestormOS-Release\llplugin": "C:\Program Files (x86)\FirestormOS-Release\SLPlugin.exe" 58251
llplugin/llpluginprocessparent.cpp(1029) : 2016-04-15T20:37:48Z INFO:#Plugin LLPluginProcessParent::receiveMessage: plugin version string: QuickTime media plugin, QuickTime version 0
llplugin/llpluginprocessparent.cpp(1038) : 2016-04-15T20:37:48Z INFO:#Plugin LLPluginProcessParent::receiveMessage: message class: base -> version: 1.0
llplugin/llpluginprocessparent.cpp(1038) : 2016-04-15T20:37:48Z INFO:#Plugin LLPluginProcessParent::receiveMessage: message class: media -> version: 1.0
llplugin/llpluginprocessparent.cpp(1038) : 2016-04-15T20:37:48Z INFO:#Plugin LLPluginProcessParent::receiveMessage: message class: media_time -> version: 1.0
llplugin/llpluginprocessparent.cpp(600) : 2016-04-15T20:37:59Z WARNING:#Plugin LLPluginProcessParent::idle: timeout in exiting state, bailing out
llcommon/llprocess.cpp(850) : 2016-04-15T20:37:59Z INFO:#LLProcess LLProcess::kill: killing SLPlugin.exe (3124)
llcommon/llprocess.cpp(1036) : 2016-04-15T20:37:59Z INFO:#LLProcess LLProcess::handle_status: SLPlugin.exe (3124) exited with code -1

 

 

Link to comment
Share on other sites

Uninstall Now!  Multiple Threats + NO FUTURE Fixes make QuickTime on Windows Machines a Ticking Time Bomb!

Linden Lab has stated they are moving away from QuickTime and towards HTML 5.  However, I have not seen a public Migration Roadmap, Deadline or Concerted Effort to Communicate (Big Surprise) with and assist Creators / Vendors of Audio Vidsual (AV) Devices that use QuickTime with the migration process.

Link to comment
Share on other sites

I killed Quicktime years ago and since then there was - of course - no quicktime based content visible in the viewer. Same is for Flash which I killed 1.5 years ago. Both is garbage that I don't run on my computer.

With the latest viewers (new web engine) I made a test and tried youtube on a MOAP prim. Videos run fine, so html5 seems to work now.

Addon: Silverlight is not relevant for SL but has major security holes too and is deprecated soon.

Link to comment
Share on other sites


Whirly Fizzle wrote:

Quicktime also comes bundled with the viewer...

I'm really curious if LL are going to remove Quicktime support from their viewer & if TPV's will do the same.

<snip>

 

And when they remove it we will get a hundred threads from people wondering why their media doesn't work.  ;)

Link to comment
Share on other sites


Whirly Fizzle wrote:

 

After blitzing Quicktime from my Windows 7 box, Quicktime media will no longer play on either the LL viewer or Firestorm viewer. 

I.. think that's how I remember it, had a feeling there was a dependancy for these media types. I don't know a tonne about the under-the-hood stuff (deferring to you there :P) but would hope LL are paying attention!

Can agree with Perrie that this is an opportunity for user confusion. And with Rogue, that there exists some element of risk to the SL community from this change.

HTML5 runs in the browser, no add-ons required. :) Would hope that this news only accelerates other services' transitions away from QT.

(Paying attention again! Sorry. Couple of days without Internet happened.)

Link to comment
Share on other sites

  • 2 weeks later...

Hi Ven,

The advice above is largely directed to those who have the stand-alone Quicktime application installed - typically, SL users from the times before when an external Quicktime download was required to view Quicktime media in SL, and therefore may still be lingering on their system.

My understanding (not the most comprehensive) of modern Viewer arcitecture is that the bundled Quicktime plugin (located at: %VIEWER DIRECTORY%\llplugin\media_plugin_quicktime.dll) only contains low level information. I can't say for sure whether this presents a risk without knowing its contents - however it's likely that running with media disabled in-viewer (Preferences > Sounds & Media) will prevent any use of this library and render it safe - or, as safe as things are likely to get. I would expect that the dll doesn't have much risk associated with it.

I have tested removing this specific file manually, and don't see any significant errors in my viewer, though I expect I'll see more if I try viewing a Quicktime media source. If you're particularly worried, I'd say try this (keep a backup) and see if you notice any difference in functionality.

Disclaimer: I use Catznip R10, the content in this post has its accuracy limited to that viewer only.

Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 2050 days.

Please take a moment to consider if this thread is worth bumping.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...