The problem is not in the player, but in the runtime itself. When decoding the data stream (which contains descriptors about the media as well as the media data itself), a maliciously designed descriptor opens the door.

This is the most classic of all poor programming techniques!! The runtime is not checking the descriptor for the length of the data that follows. So if there is a buffer that's 8K long, the descriptor is specified as being longer (e.g. 16K). The first 8K contains junk. The second 8K will overwrite any code beyond the end of the buffer.

What the hackers do is figure out where program will go after filling the buffer, and overwrite that code with their own code. This happens in the context of the user. Which means they can do anything you can do (or why you want to avoid runing as administrator when possible).

Because this is in the runtime, AMA is effected, along with everything else. As I meantioned in an earlier post, if all you're doing is processing your own stuff (e.g. QT Ref, SAS, reading .MOV files from your own cameras, etc.) you're fine. If you download a malicious .MOV file and import/link to it, you will fire off the malicious code.

FWIW, it would be hard for Windows Defender or other ant virus app to stop this. Because any code can be inserted, there won't be a consistent signature in the file for the virus scanners to latch onto. And you can't look for a bad descriptor without actually parsing out the file, which an anti virus program isn't going to do.

The best thing Apple could do in this case is to publish the source code for QT and let someone else fix it. But I doubt they're going to do that.

What our IT will likely do is to push a global QT uninstall and block any transfer of any QT associated files, .ie movs, etc.

DStone:

The problem is not in the player, but in the runtime itself. When decoding the data stream (which contains descriptors about the media as well as the media data itself), a maliciously designed descriptor opens the door.

...

If you download a malicious .MOV file and import/link to it, you will fire off the malicious code.

Do I understand correctly that other programs can still open mov files even without QT being installed?  If so, does this mean that as long as ANY program has the ability to open mov files, the exploit could be triggered?  Or, do you need at least the core quicktime program installed for the exploit to take place?

On a related note, would there be any way that the exploit could work without someone specifically playing a QT file?  Are there any clever ways of taking advantage of the exploit such that people could accidentally trigger it without intentionally "playing" a compromised mov file?

Thanks again for clarification on this,

L

(Most worrisome is that there are two security vulnerabilities and proven that they will not be corrected by APPLE. )

In plain english what does this mean for the Mc 8.5.2 user today who has been using Quick Time for export since the change out from Liquid Edition...ie:- what does "two security vulnerabilities" mean ....

Reading all the postss on this issue hopefully Avid will deal with it ..I'm not going to pull the chain on it until there is an official response from Avid ..?? 

Hello,

Is this a workaround to quicktime security flaws ?

I do not know but on this site it says so.

http://www.iso1200.com/2016/04/quicktime-security-issue-how-to-keep.html

Below is a video + download link is on this page.

I'll test ASAP on a fully PRORES project.

I watched that video - it claims that the security holes are in the QT player itself but I don't believe I've heard that yet (and I question its validity). QT Lite? Not so sure. Does anyone know for certain where the two security holes reside? Are they in the player or in the core essentials?

As what can be read on this page April 15, 2016:
http://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/windows-pc-users-uninstall-quicktime-for-windows-now

Users of QuickTime player for Windows are Advised to uninstall the program, due to the discovery of critical bugs That May not be patched. The recommendation is based on the discovery of two critical vulnerabilities on the media player software That might not be fixed soon Any Time. etc ...

So it would be the quicktime player. No ?

Ive uninstalled Quicktime and now no video in timeline or anywhere with Mc. Can hear audio, but no video or graphics.

Doh!

Assume need to do uninstall/reinstall of MC.

Hugh 

MC 8.3.1 

cuervo:

My vote is to replace .mov with .mxf. MXF is multi-platform, open source(?), etsablished, and already part of Media Composer

MXF files can neither be imported into Squeeze nor into TMPGEnc.

Joachim

Hi,

Sorry for polluting the discussion but with QT Lite : MC 8.5.2 does not start and remains on splash with the message:
initializes the manager of media streams

Joachim Claus:

MXF files can neither be imported into Squeeze nor into TMPGEnc.

Avid MC works without QT Player. What you do outside of MC without it is another issue.

Squeeze should have really supported MXF import long time ago.

There's way to much knee jerk reaction going on with this. The short solution is easy. Don't uninstall QT.  Uninstall the QT plugins for your web browsers.  Don't  play . mov files downloaded from the web or from an unknown  source.  That's  it.  If you're  only dealing with your own files,  you're  safe.  Change the defaults so the QT player doesn't  open any files by default.

Joachim Claus:

MXF files can neither be imported into Squeeze nor into TMPGEnc.

This is an issue for Squeeze and TMPGEnc to fix ASAP. It's absurd they haven't done so already.

DStone:

There's way to much knee jerk reaction going on with this. The short solution is easy. Don't uninstall QT.  Uninstall the QT plugins for your web browsers.  Don't  play . mov files downloaded from the web or from an unknown  source.  That's  it.  If you're  only dealing with your own files,  you're  safe.  Change the defaults so the QT player doesn't  open any files by default.

Agreed - in fact, I would remove the player as well.