17 Apr 2016

US-CERT official announcement on the vulnerability of Apple QuickTime for Windows

The United States Computer Emergency Readiness Team (US-CERT) has made an official announcement on the vulnerability of Apple QuickTime for Windows: https://www.us-cert.gov/ncas/alerts/TA16-105A.

This vulnerability can occur if the user visits a malicious web page, or opens a malicious .MOV file in either the QuickTime Player or in EDIUS.

The following functionality will be lost if QuickTime is uninstalled:

  • Still Image File Formats: BMP (export only); JPEG; JPEG2000; TIFF; PSD; PNG; SGI; GIF; GIF89a; JFIF; Mac PICT; sgiRGB
  • MOV Video File Formats: MOV (other than MPEG-2, H.264/AVC, HDV & 3ivx D4 4.5.1)
  • Audio: MOV (other than Linear PCM and AAC)

Versions Affected

  • EDIUS Workgroup 8
  • EDIUS Pro 8
  • EDIUS XS (used in GV STRATUS)
  • EDIUS Elite
  • EDIUS Pro 7
  • EDIUS Elite 7
  • EDIUS Pro 6.5
  • EDIUS Neo 3.5
  • EDIUS Turnkey Workstations (Japan only)
  • (plus all previous versions of EDIUS, which are already End of Service)

Action Required

EDIUS uses QuickTime components for the handling of certain image types and formats. Grass Valley does NOT recommend completely removing QuickTime because EDIUS requires it to be present when installing or updating. If it is essential to do so, the following steps should be followed:

  1. Disconnect internet connection
  2. Install QuickTime
  3. Install or upgrade EDIUS
  4. Uninstall QuickTime (Windows Control Panel > Program and Features)
  5. Reconnect internet connection

Workaround

The security risk in the QuickTime Player can be removed by installing QuickTime Essentials:

  1. Uninstall QuickTime (Windows Control Panel > Program and Features)
  2. Install QuickTime (Select Custom > Only Enable QuickTime Essentials option)

If only QuickTime Essentials is installed, the functionality lost in EDIUS is as follows:

  • Still Image File Formats: GIF89a; JFIF
  • MOV Video File Formats: MOV (Sorenson, animation, 3gp, 3g2)
  • Audio: MOV (other than Linear PCM and AAC

IMPORTANT NOTE: This workaround minimizes the risk of EDIUS being affected by the QuickTime security issue, but does not completely remove it. According to the vulnerability report, the user is still at risk if opening a malicious .MOV file directly in EDIUS.

Future Roadmap

Grass Valley engineering will be assessing how best to update EDIUS to ensure that the full feature set is available without any requirement to install QuickTime for Windows. We will advise as soon as possible a timescale for when we think this can be implemented, but it is anticipated that it can be achieved within the next 1 or 2 maintenance releases.

This topic is also covered in the online FAQ:
http://www.ediusworld.com/en/support/faq/cat121/edius_all_768.html

13 Jun 2024

Streamlining Production: How Atomos Connect Brings Wireless Camera to Cloud Workflows to Life

Find out more...

10 Jun 2024

The Samyang V-AF Compact Autofocus Lens Set is Complete! The release of the V-AF Anamorphic MF Adapter 1.7x and V-AF 20mm T1.9 Lens

Find out more...

06 Jun 2024

Atomos Ninja Phone: Giving creators the power to monitor, connect, collaborate, and record on the world’s best display

Find out more...

13 May 2024

Stream Smarter, Not Harder: Harnessing NDI Technology with the YoloLiv YoloBox Ultra

Find out more...

Back to all news


Warning: Undefined array key "recent" in /homepages/24/d204534154/htdocs/test/articles.php on line 190

Deprecated: json_decode(): Passing null to parameter #1 ($json) of type string is deprecated in /homepages/24/d204534154/htdocs/test/articles.php on line 190
Back to Top

Cookies

We use cookies to help us offer you the best online experience. By continuing to use our website/or clicking Accept, you consent to the use of cookies in accordance with our privacy policy.

Cookie Settings

Warning: Undefined array key "atConsent" in /homepages/24/d204534154/htdocs/test/articles.php on line 223