Quicktime Security Update

As I indicated in a prior posting, we became aware of a serious flaw in Apple’s QuickTime software that could cause maliciously crafted movies to either crash your Second Life viewer or, more seriously, to execute arbitrary code contained within the stream. We had warned to take caution when enabling movie playback within the viewer.

The good news is Apple has recently released a patch for this issue and it will appear in Apple’s Software Update utility as QuickTime 7.3.1 or it is available here as a separate download for your system. If you have not already done so, it’s important to apply that patch as soon as possible to protect yourself from this exploit when using any application or browser, not just Second Life.

We have now released a version of the viewer that will verify you are running a version of QuickTime that is safe from exploits of this type.

This release candidate is an optional update (for now) that will test for the latest version of QuickTime before enabling streaming video. If an older, non-patched verison of QT is found, the viewer will disable video streaming and display a message:

QT_Verified

This version of the viewer will be optional for the holidays, so if you choose not to transition to this pre-production viewer, please take a moment to update your copy of QuickTime before enabling video streaming.

This entry was posted in Announcements & News, Security. Bookmark the permalink.

76 Responses to Quicktime Security Update

  1. notgoingsayit says:

    the update for quicktime window dose’t say there update!!!
    are ya guys not clear on what ya saying!

  2. Zandor Maltese says:

    i wish we could use something besides quick time it is so full of holes it’s not even funny.

    even patched i don’t trust it every time they patch one hole another one is found i know this because network security is my job.

  3. B.K says:

    Updated fine for me….

  4. Shu says:

    ..well for me it didnt.. wtf. I installed the latest download 76116, but when installed, it’s asking for “required update” 75762 again, lol.. back to regular client it is.

  5. Bobo Decosta says:

    @ Zandor

    If you wanna avoid any risks you have to cut your internet connection. Quicktime is the best you can get.

    I would cut my SL if it was to use anything else than Quicktime. Shivers all over thinking of a SL world using something made by microsoft. Oooooh the horror.

  6. Argent Stonecutter says:

    Even if quicktime was 100% secure streaming video is actively being used as a privacy exploit to track people by IP address. I recommend not using streaming video at all, and only turning streaming audio on when listening to music where you can trust the landowner.

  7. Pingback: Beware: Second Life viewer flaw : The Metaverse Journal - Australia’s Virtual World News Service

  8. Deltango Vale says:

    HEY – Windlight or Quicktime or the combination update creates concentric black rings/bands around the whole horizon. It’s a real mess. Windlight currently unusable.

  9. Brenda Maculate says:

    Thanks for the information on this! I was asked about it on HIP just yesterday. (The person said that Apple had released an update to QuickTime last week, and wanted to know if there was anything the Lindens had done with it. I figured that when Apple addressed the problem, the Lindens wouldn’t have to do much about it, other than to let everyone know.)

  10. Wyald Woolley says:

    QuickTime is NOT full of holes. It is insanely safe. /me thinks Zandor Maltese is full of something instead.

  11. Pingback: Updated Release Candidate Viewer: Second Life 1.18.6 RC2 Available Today « Official Linden Blog

  12. Deltango Vale says:

    OK, Windlight is definitely NOT working properly. Since Quicktime has problems with Firefax and Flash, I presume Quicktime is the problem here too. Can we not have an alternative?

  13. Pingback: One step Forward - Two steps Back | Second Life Sucks

  14. Delu Elytis says:

    It is ok to warn and make sure all get the information about risks involved, but force disabling movie stream is not very nice. Some may wish to run an older version of QT that may not have the security risk or the version is working better for them than the latest.
    Make it up to the user to choose if he/she wish to take a risk that could harm ones computer. Just as one can choose to run anti-virus software or not for example.

    Let the Residents choose for them self!

  15. Maklin Deckard says:

    In the future LL, please stop playing ‘nanny’ and deactivating services that YOU deem unsafe for ME. I’ll make my OWN security decisions, thank you…no little popup ‘we disabled X for your safety’ boxes required.

  16. Blinders Off says:

    I agree, that trashcanning Quicktime and switching to a viable alternative seems a better course. Every time I install Quicktime on my system, it takes over partial control of my browser–something I don’t at all appreciate. I refuse to use it for just such a reason.

  17. Zandor Maltese says:

    Quick Time is NOT full of holes me thinks you need to read up on the subject before you insult someone Wyald Woolley and i did not say use Microsoft apple and Microsoft are not the only ones that make media codecs Bobo Decosta and saying quick time is the best is an opinion everyone has one 😉

  18. Don’t you dare to make this a mandatory update later just because of a quicktime warning. And the automatic deactivation is silly too.

  19. Bobo Decosta says:

    @ Zandor I said “anything else than Quicktime” I don’t want crappy real or whatever exotic stuff is out there. I want quality stuff like Quicktime. If SL was to run like the stuff Apple made I would so heavily be a SL fanboy but for now I stay an SL sceptic besides the Quicktime support ofcourse 🙂

  20. web page says:

    Appow brobuts cand ged viwuses.

    sniff

  21. Tensai Hilra says:

    Using quicktime as a format’s fine, /me shudders at using .ASF files… but having options by utilizing something like VLC would be nice. It can run Quicktime/asf/mpg/whatever too.
    Heck, it’s open-source too. may even go faster…

    Just my 0.02 USD

  22. Tensai Hilra says:

    forgot the URL: http://www.videolan.org/

    Check it out, it could be eye-opening. No installed codecs required… could open up some options in Linux clients
    (And yes, it runs on linux/win/mac/etc)

  23. Korwyn Obscure says:

    @#15: Uhm, no it’s their grid and their network if they wish to say “you can’t have this feature unless you’re up to date on the program it uses” then they can do that. And they’re doing it cause if someone else knew about the exploit and then got slammed by it, LL knowing about said security hole could be considered liable if they don’t figure out how to keep said security hole from being a problem on their network.

    @ everyone else. There are 4 main streaming video formats that every computer out there pretty much supports, but you have to have a video player installed to do it. Microsoft Media Player has so many holes and is so memory hungry it’s ridiculous. Real is still no better then the spyware it used to be, let alone all the adware. Flash can do it, but for streaming say a movie, it becomes a resource hog.

    That leaves Quicktime, which has had very few and far between security issues. And whomever said it takes over their browser, they need to look at other things on their system. I’ve never had itunes/quicktime take over anything other then it does, just like all the others, want to offer you to be your sole media player.

  24. Korwyn Obscure says:

    @#22…

    VLC is a joke, right on the front page it’s subject to Active X, which means it’s not a viable option for anything on a windows machine.

    Their latest news is about… security flaws in their software.

  25. Renji Bikcin says:

    its this why all my HUDS stop working?

  26. Tensai Hilra says:

    @24 it doesn’t require ActiveX, it runs on a number of systems that do not use it

  27. Argent Stonecutter says:

    Streaming MPEG 4, dudes! OVER THE MBONE!

  28. HD1080i says:

    Probably should move to FLV format ( the on2 codec , works in flash player , but flash is not the only way to play it) or VC-1 (HD-dvd uses it , clean and compact )

  29. Earle says:

    curiously, when I logged in, this was a mandatory update, not an optional one. So much for waiting until after the holidays I guess.

    And yes, I was using the previous RC, and when I tried to log in, it said I had to update.

  30. Shadow Garden says:

    Ack! I would like to point out that all of us running Windows XP x64 edition are now prevented forever from viewing streaming video, because Apple has not released an update to QuickTime for that platform in months!

  31. DR Dahlgren says:

    You have to be able to get into the world before you worry about QT. Now, all of a sudden, nothing rez’s, can not log back in.

    Oh, maybe LL is protecting me by keeping me out of SL completely!!

    No, probably just the normal – A long weekend is here, lets mess something up – situation as normal.

    Damn, this is truly getting old. Every freeking holiday this place goes flush, and only 39K ppl online at the moment. Wonder if it will get fixed before Xmas now. Bet there is nothing but a skeleton crew on if anyone at all….

    DRD

  32. Traxx says:

    Indeed well since this is the closest entry that comes to the issue.

    WARNING: DONT REZ STUFF BECAUSE YOU MIGHT LOSE IT LIKE YESTERDAY, YOU NEVER KNOW BETTER SAFE THEN SORRY/

    just had to give the warning because its getting out of hand

  33. Aida Lundquist says:

    76116 doesnt log in. Shows always loading.. in the upper left corner, thats all.

  34. Aida Lundquist says:

    OS is Vista Ultimate 32 bit, NVIDIA 7600GS

  35. Missy Malaprop says:

    Last update they fixed not being able to read Age Verify in profiles.. this week they fixed being able to see it at all by taking it out…. which is it going to be?

  36. ahcapella Caldwell says:

    I cannot believe that I just read someone who claimed “QuickTime is not full of holes!” I nearly fell out of my chair! I suggest that person log on to apple.com’s QuickTime blog to get a jolt of reality. As someone who has used Mac’s since 1991, I am sorry to say that Apple is no longer capable of creating a stable video environment with their so-called QUICKtime. I can only assume that they’re too busy counting their profits from iPod sales.

  37. Danridar Frederick says:

    Not sure if anyone else is having this problem but I assume they are. I’ve got the most recent Windlight, and got QY 7.3.1 or whatever, but I never get past the “Logging in” on the load bar.

  38. Kahni Poitier says:

    I hate Quicktime. I’d like to see a video format worked in that can handle other media formats. AVI of some form, of Flash video.

    I’d LOVE to see Flash implemented in SL. I’m waiting for my browser on a prim, too.

  39. Phantom Ninetails says:

    What about Windows 2000 users? Apple is not going to give an update to Windows 2000 users. Are you just going to leave us out in the cold? I think it’s about time you switch to something a little better than Quicktime, which is quite possibly the worst choice you could ever make. I really hope they paid you ALOT of money to sway you in their direction in the first place. I hate to say it but Quicktime might even be a worse choice than Windows Media Player. Not that those are the only choices, and I don’t want any Microsoft player being used as a replacement. I like the idea pointed out earlier, VLC. Security issues associated with that? Good luck finding an online program that doesn’t and never has had security issues. Even firewalls have security issues. At least VLC has decent OS support.

  40. teddirez Escape says:

    I have been happily using quicktime alternative up until now.. What a crock this is. I agree running something like VLC should be looked at as a potential alternative. To those that trash it cuz “it has bugs” ahhh hello, we are playing Second Life here and VLC is a small open source initiative. Not only is it seriously solid already with support from LL it could be developed massively.

    For now i want the option to say get stuffed to the warning. I’m not using QT, im using QTalt Lite and afaik no security issues.

  41. mimi says:

    Why are the comments closed on the windlight topic? I was busy writing one when they were filled up. Why is theres a limit on such an important topic? Ill post mine here now, since the WL blog is full.

    @ pastrami
    Standing in my club with no windows all avatars and walls look very overshadowed still. Heavy sunsets and shadows outside are nice but inside a building with no windows it looks very unrealistic. Wasn’t the aim of windlight to make the world look more realistic instead of less?
    Having dark, fiery, dramatic sunsetlit inside houses is not realistic at all. It looks very unrealistic.

    Also, spending just a few minutes in SL will learn you that the majority of people hate the newbie skins and hardly anyone over 1 month old still wears a newbie skin. 99% percent of the people who are not complete newbie wear a skin. Oh My God how can you not know this? Its crazy to assume this, please go take a look inside the game and talk with some people.

    As for the way avatars look, its crazy to assume every one will buy a new skin new clothes everything new just because the avatars are darker now. People spent THOUSANDS of lindens on their skin and clothes and all items that are darker now. Most people can’t afford to buy everything new again!!!!! Most items are not modifyable so please be considerate to people!! We spent lots of money in our game, please dont throw away everything we have now.

    Making nearly white textures look all white in the noon would look good if textures wouldnt have to make up for the lack of shape on flat prims. Now most things that aren’t there in shape are drawn on textures. Overlighting them will make the world look more flat instead of less, because the textures are gone and the prim looks flat once again like if there were no texture. (like most newbie buildings look)

    @ 57

    I would not consider it to be mysochinist to assume all (nearly all) women want to look like models in SL: just look around and see what women in SL look like in general” All women look like in their 18-25, are slim built, nice figure. Fat and older women are seldomly seen. Just like most men (young, tall, muscular, handsome) most women in SL look like topmodels. Its a typical SL thing.

  42. mimi says:

    quoting 132 WL blog “Once again we see a lot of “we heard a lot of complaints, but we prefer it this way” in this blog post. ”

    I was a bit disappointed at this blog too, seeing the great way Pastrami handled the first blog. This one does not speak communication the way the previous did.

  43. AWM Mars says:

    The security issue isn’t always in the operating platform, but in the ingenuity of those that craft malicous code and add them to the media, the update patches simply plug holes and become almost a virus/maleware checker.

    If you want to watch safe media there are 2 precautions you can take:
    1) Always make sure you know the source of the media (preferably from your own source).
    2) Use a secure delivery system.

    As a company that deal with media inworld, we take these matters very seriously. We have our own servers that deliver media that we alone create. We also use a secure delivery system, that unlike standard media delivery systems in SL, does not give the source url to any potential exploiters.

  44. Zi Ree says:

    I think it’s only sensible to disable support for an exploitable protocol. LL is doing the right thing here, and I don’t mean “saving the people from exploits” but protecting all the other users, who get hit by corrupted machines made into trojan distributing zombies. I don’t care if a user doesn’t feel like updating and trashes their own system, but I do care if my system gets attacked by a zombie machine because their owner didn’t care.

    About the warning dialog: Why didn’t you include a button “Get Quicktime” instead of just mentioning the URL in the dialog? This would have saved the people the hassle of retyping or mistyping the URL and get to the webpage with just one click.

    Cheers!
    Zi

  45. Argent Stonecutter says:

    @35 Missy – It’s going to be “no age visible in profiles”.

    @38 Kahni – If you’re worried about quicktime, you ought to be terrified of Flash or HTML on a prim.

    @43 AWM – I agree, SL should be handling all streaming media from their own servers, so they could secure it and so it couldn’t be used as a privacy exploit.

  46. Melanie Milland says:

    @45: That would pretty much kill all content but the major broadcasters. Imagine, having to apply to LL for the permission to host a stream, then pay for the bandwidth/server space? What about live feeds? You must be crazy, or hoping for a nice, content controlled world…. go to There.com, where creation is moderated, and don’t try to take our freedom!
    Do I care if my IP is known to someone? F… no! I have a firewall!
    Don’t you?

    As for AV… I think it should be visible. Often I would want to prove to someone that I am verified.. if it’s not visible, how can I?

  47. Argent Stonecutter says:

    @46 Melanie: having all the content in SL other than streaming video hasn’t killed it… quite the opposite, in fact: content creators are terrified by the possibility that their content will get out of Linden Labs’ hands. Having Linden Labs host streaming media wouldn’t be any different. The only difference would be that they could scan the content for exploits, and they could even hook streaming media into their permissions system, giving content creators more flexibility.

    Their hosting fees might be higher than you’re paying now. Or they might be lower. But if you’ve got free video hosting, I’d love to know where it is. 🙂

    Live feeds? Why would they be any different… live feeds are already proxied through a streaming server, what difference does it make whether that server is hosted by Linden Labs or not?

    Do I care if my IP is known? I’m hardly stealthed… I’ve been using the handle “Argent” since the mid ’80s.

    But there are people who have reason to care that people can find out where they’re coming from – people sharing internet connections, people using alts to avoid stalkers. And there are people perfectly capable of abusing knowledge of your IP: a firewall won’t keep you from being hosed offline by an amplified DOS attack.

    As for age verification… if it was reliable then perhaps it would matter, but sheesh…

  48. Phantom Ninetails says:

    @47 Argent: Are you trying to turn Second Life into a super-expensive paid-only service? Or do you just want people to pay a hefty fee to watch streaming videos? Do you realize how much more bandwidth is used by a streaming video than from a game server? The use of Quicktime doesn’t make this any better, of course..

    No matter what, I don’t want to have the Lindens taking up the task of streaming videos to us. That would be extremely expensive for everyone, probably even for people who aren’t interested in watching streaming video.

  49. Chris says:

    What about QT Pro?

    I have an up to date version of this BUT SL is disabling qt for me -any suggestions?

  50. the bat says:

    I can understand LL warning customers/residents about the exploit and recomending that we all move to the latest release of QT — I know we arent now considered adults untill we prove it . but FORCING people to upgrade a software package that LL do not own and which derives its content from OUTSIDE LL’s server farms is carrying the big brother act too far – and BTW on behalf of all the win2000 users “thanks for making it impossible to watch movies in SL.”
    I know i’m gonna be told “upgrade your OS ” but my choice of os is based on more factors than running SL/QT.

  51. @39, et. al: Uhm, what? MICROSOFT doesn’t even support Win2k anymore. If the company that made the OS no longer supports it, why should anyone else? Seriously, Win2k is well over 8 years old now.

    “but FORCING people to upgrade a software package that LL do not own and which derives its content from OUTSIDE LL’s server farms is carrying the big brother act too far”

    I disagree. LL has every right to set minimum requirements for connecting to their service, or for using certain aspects of their service. If your system doesn’t meet those requirements, either upgrade, or don’t use those aspects of the service.

    Think of it this way: If you try to do some online banking, and your browser doesn’t meet the bank’s requirements, then it will not let you in. The bank may have nothing to do with the browser industry, but they are still well within their rights to decide what may and may not connect to THEIR systems.

  52. Phantom Ninetails says:

    @51 Shadow: Microsoft does actually still support Windows 2000 users, we are in the extended support period which will last until some time in 2010. Why should anyone else? Because many users come from Windows 2000, and they’ll lose market share by closing it off. Windows 2000 is still a very capable OS, and it doesn’t take much effort to support. There’s little that Windows XP can do that Windows 2000 can’t. What about Linux? That’s pretty old, are you going to tell them not to support Linux because it’s “well over” 16 years old? No. Linux and Windows 2000 still recieve updates and support.

  53. the bat says:

    @51 – all LL do or rather the script in the video screen is tell QT what the url is to download from — the video itself never passes through LL servers at all — and my win2000 instalations have been running since before XP appeared without needing a full reload at all – i know some linux and unix installs which can say the same , cant say ive heard of an XP install runniobg that long .
    I’m a Unix/Windows sys admin by profession and quite capable of deciding what to do about a security risk to my own system.

  54. Zi Ree says:

    You can’t compare Linux to Windows in terms of age, because the Linux kernel gets updated every few weeks, distributions update every few months, so there is no point in saying “Linux is X years old”.

    If you are on Windows2000 and need the new Quicktime Library, kick Apple, not Linden Lab.

  55. Phantom Ninetails says:

    @54 Zi: Technically, I am not kicking them because of that, but rather because they chose Quicktime in the first place and also because it is still being used even today.

  56. Doris Haller says:

    Zi Ree said “If you are on Windows2000 and need the new Quicktime Library, kick Apple, not Linden Lab.”

    Yes…
    but I kick Linden for making me need Quicktime.. SL was the only reason I had installed it.
    I prefer VLC which runs nice, is stable and I don’t have to install additional SW like codex to view something.

  57. the bat says:

    @54 If you are on Windows2000 and need the new Quicktime Library, kick Apple, not Linden Lab.

    Thats the point Zi — my existing QT works fine , I don’t NEED the new QT .
    What i’m kicking LL for is DICTATING to me that i can not use a perfectly working program , that nobody else on the planet would FORCE me to remove from my system , in order to use an EXTERNAL service that has no effect on their servers whatsoever .

    @51 — this isnt a secure bank type transaction , its watching a video stream , something I can do on the rest of the web ,WITHOUT justifying either my choice of software or OS , in order to do so .

    Its about FREEDOM OF CHOICE — though i guess thats going away in SL and that is not only SAD , but should be fought by every resident/customer.

  58. Zi Ree says:

    @57 What i’m kicking LL for is DICTATING to me that i can not use a perfectly working program

    You’re missing the point. QT is *not* working perfectly. It has a security flaw that already is being exploited. By forcing you to upgrade, LL is making sure, residents are not using the flawed version anymore. It’s the right thing to do, because it’s not only your own machine that might get exploited, it’s your machine being turned into a spambot or trojan factory. If it was only possible to delete your hard drive I wouldn’t care, but since a corrupted machine can be used to attack, spam or spy on other machines, it’s a valid concern.

    I applaud LL for doing what more companies should do: ban security flawed program versions.

  59. the bat says:

    @58 I applaud LL for doing what more companies should do: ban security flawed program versions.

    There isnt a SECURE program available anywhere , and LL should be LAST people to pass judgement on other companies bugs.
    Ultimately your computers SECURITY rests on your own shoulders , it’s YOUR responsibility – not LL’s .

    Whats next under your regime , checking our Anti-virus and Anti-Spyware ?
    Mandating the latest firmware release on my cisco firewall ?
    How far down the “granny state” road do you want SL to go ???

  60. nomoresecrets says:

    i wonder where the problem is… i work with 1.18.3(5) perfectly…. no need to upgrade to another viewer.

    Okay, WL i only use sometime when need to make a nice picture of my beach or our house. but for normal use, hours over hours without a brake, i use still 1.18.3(5)…. best viewer since 1.15

    merry christmas to all and a happy new year
    Happy holidays too :))

  61. Argent Stonecutter says:

    At least they need to quit popping that dialog up when you log in if you have already disabled quicktime, because we can’t get a security update for 7.1.6 because it’s the last version on Windows 2000.

  62. DBDigital Epsilon says:

    Yes I agree Argent. And some people crash during this check regardless if they have it installed or not. I guess people with windows 2000 (like me) won’t be watching video in SL once this check becomes manditory. I wish there was a way to bypass this check as some of us would still watch a occasional movie from a trusted source and have it disabled at other times. Why can’t we be responsable for our own security in this case?

    There could be a check when enabling the streaming and if you don’t have the latest version why not pop up a warning and say “using this with your curent version of QuickTime is NOT safe, use at your own risk? That seems like the perfect solution to me.

    -DB

  63. Crucial Armitage says:

    ok I have no clue what update to choose can some one help me there are to many updates on that page and the one i downloaded windows says it does not know what program created it

  64. Argent Stonecutter says:

    @48 Phantom: “Are you trying to turn Second Life into a super-expensive paid-only service?” Nop. You gotta pay for the bandwidth one way or another, unless you’re doing your streaming by leeching off your workplace or something. There’s no reason SL would have to operate the streaming servers, they could as easily buy it in bulk from whoever you’re buying it from, and maybe even reduce your costs.

  65. Chris says:

    I’ll ask again as there hasn’t been a reply from a Linden:

    What about QT Pro?

    I have an UP TO DATE version of this BUT SL is disabling qt for me – any suggestions?

  66. Traxx says:

    MERRY XMAS ALLLL!!!!

  67. Sup Bing says:

    Why do you bother having a blog? You dont allow comments on most pages, and limit the ones you allow us to post in.. Granted, Usagi (UM) takes up most of the space but I think we all ignore her as she never speaks sence.
    Same problem over and over and over and over and over again.. Why do you mark it as resolved? why not mark it as temp fixed? gain some trust from the people that built “our world” ?

  68. Alexa says:

    I am glad steps have been taken to fix this.

  69. Johnny1 Arctor says:

    Ok I have updated and everything and my movies still don’t work! and I haven’t seen a sim crash because of a movie or some other media. People may have crashed while loading a movie because the sim they are on is lagging them so thats maybe why they have crashed. I don’t think we should have this update at all it has just casued tons of problems for people and it hasn’t really helped anyone!

  70. Pingback: New Release Candidate Viewer: 1.19.0 RC0 Available « Official Linden Blog

  71. Pingback: The Second Life Quicktime exploit soon redone? | VintFalken.com

  72. Pingback: New Viewer: Second Life 1.19.0 Viewer Now Available! « Official Linden Blog

  73. lifeforms says:

    i am having problams installing the new update and i cant even uninstall its just saying there is an error code numbers its so anoying ineed quick time i think why is this dose any one know ive even tried installing it manually and that dose not work

  74. Magnum Serpentine says:

    I have an HP computer that cannot run Windows XP service pact 2 with-out crashing every 2 minutes. I once downloaded XP and instead spent days trying to rid myself of it. SL crashed about once a minute. The Techs that finally helped me said it was the fact that some things on this HP computer of mine were different than standard computers that SP 2 could not work. So they scraped SP 2 off and re-installed SP 1. So if LL insist I get SP 2, fat chance

  75. AlucardRezillo says:

    I updated Second Life and now everytime I try to load it, it pops up saying

    Display settings have been to recommended levels based on your onfigurations.

    Then, a Quicktime thing pops up saying it is the

    Some of your Quicktime software is out of date. You can fix the problem by updating to the latest version.

    The thing tries to send the error to the main site but it seems to fail.

    I already tried updating the QuickTime already and I cant even USE SecondLife. >.< What can I do?

  76. Pingback: virus checker adware

Comments are closed.