Is Apple Quicktime A Security Risk For Windows Pro Tools Users?

So Whats The Big Deal About Apple Quicktime And This Viral Story About It's Security Flaws On Windows?

Since the news broke of this Quicktime issue earlier this week I've been asked My thoughts many times now by colleagues, customers, other Pro Tools Bloggers, Pro Audio Forums, Websites and Facebook groups so here's my take on the situation as an Audio Professional, Pro Tools Specialist for the Windows Operating System and Big Cheese of The Pro Tools PC  and how to deal with it (in my own humble opinion).

These day's, not even a few weeks can pass without one computer tech website or other reporting on security flaws identified in desktop operating systems, web browsers, mobile OS's or API's and this week is no different with security firm Trend Micro reporting and advising on two vulnerabilities found in Apple's Quicktime media software specifically specifically with regards to the Windows version. This report appears to have now gone rather viral on tech news sites, forums and user groups (read a full report here).
Usually, when this occurs the company in question comes forward with a patch to plug the holes and we carry on until the next time.
What's different here is that Apple are yet to release a fix/patch and have instead simply provided instructions on how to uninstall the Quicktime software, citing its intention to "depreciate" or end the support and development of the application.


 

Why does this matter to us Pro Tools Users?

Actually, it doesn't quite so much as many might believe (Or have you believe). We still need Quicktime for certain tasks so here's a little background.
Although Avid have made bold moves with Pro Tools 12.5 and continue to develop away from Quicktime dependencies for the Pro Tools AVE (Avid Video Engine) where Video is concerned, Pro Tools still has dependencies on Quicktime for "Foreign Format" audio importing and conversion such as MP3, Meaning the Quicktime engine is used as the import and conversion plugin on the import audio dialogue window of Pro Tools as seen in the picture below - Note the text line on the very bottom of the window when Quicktime is not installed/found on the system while trying to import an MP3 file to a PT session via the "Import Audio" file menu option.

Quicktime Import1

In order to import our MP3 we need Quicktime installed and the only components we actually need are the "Core Libraries" .


 

What are we actually at risk from by having QuickTime Installed?

Well, the "Zero day initiative" reports that there are two risks and both of them state:

"This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file."

See here for ZDI-16-241 and here for ZDI-16-242

This means a user must actually click on a piece of malicious code, a web link or perhaps piece of embedded media to actually provoke the exploit which in my humble opinion and experience would most likely occur while surfing the internet and could be considered no worse than any other web surfing session - If you are surfing websites with questionable embedded malicious code you might want to think about the sites you are visiting perhaps? but as ever there are users who click on thinks not know what they are, or to simply find out what they are.

This advisory report appears to be primarily about web surfing and the Quicktime components that are used with the web browser to execute quicktime media so lets look at what those components are.

There appears to be two main components to the Quicktime package, The Quicktime Essentials (the core library and QT engine) and the Quicktime Player. In addition to that are threee optional components, The Quicktime Web Plug-In, The Picture Viewer and Quicktime for Java.
Lets look at these in reverse order:

Quicktime For Java, Java is a programming language that has been in the news recently with its own set of security risks that can be read about here and Quicktime for Javs is a rather old dinosaur of a media plugin that is not at all favoured these days by anyone writing websites or applications you can quite quickly pick up this vibe by reading the Wikipedia entry here and I strongly suspect unless you have some very old software that hasnt been updated in more than 5 years you are probably not going to need this component.

Quicktime Picture Viewer, I don't think this one needs much explaining but you really shouldn't be needing something like this to view pictures in this day and age and again unless you have some very old software that hasnt been updated in more than 5 years that holds a dependency on this component you are probably not going to need this either.

Quicktime Web Plug-In, This is the part I suspect to be the most risky, KILL IT WITH FIRE !!! , but no seriously nobody should be developing a website that holds a dependency to QT for media playback these days, HTML5 should have seen the end of QT, Flash and many other "old skool" media formats for web integration so you really shouldn't need it at all.

Quicktime Player, This one "May" be ok to keep if the other components listed above are removed, but I see no reason at all to keep it as there are plenty of other media players out there I would look to before ever using this "old clunker" I would recommend VLC  its free, plays everything you can throw at it (even MXF's) and does not require any extra codecs to be installed. As worst good ol' Windows Media Player will be fine for those not yet on Windows 10 but as I mentioned there are many, many other alternatives so i'm sure many of you will already have a favourite.

Quicktime Essentials, From my testing with Pro Tools this part should be all you need to continue to use Pro Tools 10/11/12 as usual, so move on down to the guide below to straighten out your QT installation.

As a side note we would always advise not to use you main Pro Tools workstation as your leisure internet surfer but if you do make sure you have adequate protection by means of a well recognised and trusted antivirus & anti-malware solution.
It is for this very reason We at Pro Tools PC developed our "Safe Surf" platform for totally isolated & independent web surfing on your Pro Tools PC.

here's how to make sure we get only those required components and do the best we can to protect ourselves from any vulnerabilities.

Installing the bare minimum Quicktime Components Required for Pro Tools

First, uninstall QuickTime entirely using the regular QuickTime uninstaller or the Windows remove programs feature found in Windows Control Panel.

Then download the quicktime installer (not the itunes version) from here if you don't already have it. (note you do not need to enter your email address to get it).

Make sure no other applications are currently running and then run the downloaded installer and click next through the windows until you get to this page:
Quicktime Install 1

Choose the "Custom"option.

Quicktime Install 2

And disable all options except the "Quicktime Essentials" item at the top of the list by clicking the down arrow next to each item and selecting "Entire Feature Will Be Unavailable"

Quicktime Install 3

When all items except the "Quicktime Essentials" are disabled click next and complete the installation.

Restart the computer and your required Quicktime components will now be installed without the potentially dangerous parts and you should be able to continue using Pro Tools and its dependent QuickTime components as usual, of course if you are ultra-paranoid you can just uninstall Quicktime entirely and use another app for MP3 conversion when/if you need it.
As you may have noticed I have not addressed any video dependencies here for Quicktime such as the "Import Video" or "Bounce to Quicktime"Options in Pro Tools but rest assured I've tested these features with the above configuration and they all work.

I hope you have found that useful, I'd just like to state that I am by no means a computer security expert although I have spent the last 16 years working in the industry designing and building Pro Audio PC's and working in high-security Broadcast Infrastructure, With a little careful consideration I think my advice is sound and reasonable, Of course, you don't have to follow my advice either and for best security We would always recommend our Pro Tools PC customers take advantage of your Free installed "Safe Surf" web browsing application installed on Every Pro Tools PC.

*Update*

Avid have now confirmed my above method by creating a support document with the same advice,
see here for details

Be sure to leave us a comment of your thoughts below, share the story with your friends and if you want more of this kind of content delivered straight to your email inbox sign up for our mailing list right here.

[wysija_form id="1"]
Posted in Discussion, Education, Free Support, Industry Advice, News, System Maintenance, Tech Support, Technical Article, Tutorials and tagged , , , , , .