[opensource-dev] Quicktime

[Henri Beauchamp]

On Tue, 19 Apr 2016 18:40:02 -0400, Andromeda Quonset wrote:

> Now I am seeing a lot of messages urging all Windows users to 
> uninstall Quicktime, that it will never be updated for Windows, and 
> that it hasn't been updated for 10 years.  So the first question is 
> "does uninstalling Quicktime have an impact on Second Life?

Yes, it prevents the viewer from reading media files, QuickTime's,
but not only: all video and audio media files are read via the
QuickTime plugin in the viewer: see the occurrences of
"media_plugin_quicktime" in skins/default/xui/en/mime_types.xml
(for LL's viewer; some TPV moved this file where it truly belongs,
in the app_settings/ sub-directory).

> The second question might be 'do I still need the QuicktimeSDK for 
> compiling viewers?

Yes and no. You can make it so that you compile a QuickTime-plugin-less
viewer (this might require some changes to the cmake files for LL's
viewer: some TPVs provide this choice as a build option, via a cmake
define). Not sure if LL's viewer sources build "as is" without
QuickTime. In any case, LL's latest viewers (late v3 and v4) require
VS2012 to build, and VS2005/VS2010 QuickTime SDK is incompatible with
VS2012 (the plugin will still build with the old SDK under VS2012, but
the resulting binary will fail to launch).

LL apparently got their hand on a VS2012-compatible QuickTime SDK
(their VS2012-compiled viewer therefore got a functionnal QuikTime
plugin, that you could reuse together with your QuickTime-less viewer
builds). Alas, the corresponding pre-built library package is not
available to the public (it is hosted on LL's private servers)...

> Or is there some substitute by now?

Not that I know of... I already pointed out (like years ago), in this
very list that alternatives to the long deprecated QuickTime did exist
and should be used by LL but, as usual, it felt into deaf ears (LL,
once more: "I told you !").

Such an alternative could be the gstreamer SDK for Windows; after all,
the gstreamer plugin already exists for Linux, so it should not be an
impossible (or even difficult) task to extend its use to Windows builds
of the viewer. The only "difficulty" is to create a proper pre-built
library/headers package out of the SDK, which will include all the
necessary dependencies to build and package the viewer.

> In trying to find out more info about Quicktime, I find leads that 
> Homeland Security issued the warning.  Then I find Homeland Security 
> copied a noticed from CERT, who copied a notice from Comodo.....and 
> then I start having a few doubts  about the warning being quite as 
> dire as I first read.

As usual, such flaws require a thoroughly "cooked up" setup for a (black
hat) hacker to exploit it against you. Whether it is possible to exploit
QuikTime flaws to gain access to your computer via the QuickTime plugin
is, for now and AFAIK, a purely theoretical issue. However, it is unwise
to run exploitable software, even if the possibility of a compromission
is slim.

Regards,

Henri.