XP vulnerability with QuickTime format

I followed Microsoft’s instructions for the interactive method at http://support.microsoft.com/kb/971778
I have the VLC Media Player associated with all its supported formats in Firefox (I declined the Firefox plug-in during VLC install because it doesn’t work well, at least in v0.9.9).
I clicked on a MOV format movie at this site http://www.stockshots.com/SampleFootage.htm
It plays fine!

Good to have a secure way of playing QuickTime files since no one has yet provided a test file that demonstrates CIS’ protection from this vulnerability.

VLC is growing in popularity because it plays files and formats that don’t work on other players. It is open source and free too! I recommend giving VLC a try, even if you have Vista or later.

Apple released an update for Quick Time with version number 7.62.14.0 on June 2. Get it from here: Download QuickTime 7.7.9 for Windows . I don’t know what the change log is.

A Google search for “quicktime 7.6.2 release notes” resulted in this link:

Four of the bugs fixed, which allow arbitrary code execution, are not buffer overflows that would be protected by CIS.

I didn’t see a bug that affects XP and not Vista. So the thread-topic bug may still exist.

I prefer to use VLC Media Player, and uninstall QuickTime, to reduce the chances of being targeted by malware, which generally targets mainstream/popular apps like Windows Media Player, RealPlayer and QuickTime. Also, QuickTime embeds an IE-based browser, which provides another entry method for malware. Finally, QuickTime performs autoupdates by default, so there is a risk of privacy leakage.

Does QuickTime v7.6.2 update the quartz.dll file?
I have not installed QuickTime v7.6.2 on my PC with Win XP Pro SP3, and my C:\WINDOWS\system32\quartz.dll file is version 6.5.2600.5731 with a creation date of April 14, 2008.

If the quartz.dll file has not been updated, media players other than QuickTime and VLC may still be vulnerable.
For example, the codec pack from Portable 64bit codecs for Windows 11 and Windows 10.
using Media Player Classic (see the Tools tab).

It may be necessary to apply the registry work-around to protect other players, but this may also prevent them from playing QuickTime/MOV-format files.

Perhaps you should install it and see if it works. I see you posted this reply in another section of the forum and well if you like using VLC player why not just set Comodo to block Media Player and Quicktime Player from access to the internet? You mentioned something about by default Quicktime does an update well I am not sure about that as if my memory serves me correct somewhere during the installation it should give you the option if you want autoupdate enabled. Well this had occurred when I had installed an older quicktime player and then I went in to check my preferences and the autoupdate was disabled. When I had installed the latest quicktime it simply kept my settings from the previous version so I wouldn’t know if you are asked to enabled autoupdate.

quick question would not defense+ in safe mode give a warning for this like it’s creating a registry direct access to drive ect.

Using the firewall to block access to the internet for WMP and QuickTime Player does not protect against videos that come through email or videos that are downloaded by the web browser before playing them (not using their browser plug-ins). I am learning how to consolidate the number of multimedia viewers needed to play all the popular formats, which includes uninstalling QuickTime Player and Real Player.

My understanding is that the QuickTime Player and Windows Media Player (WMP) are on Comodo’s Safe List, so their default access rights in Defense+ is to allow everything except running an executable or writing to protected registry keys, files or folders. Thus, there is no alert for creating an (unprotected) registry key or direct access to the disk. Note that WMP can play QuickTime-format videos if a codec pack, such as the one I gave above, is added.

I am hoping that someone who has installed QuickTime v7.6.2 will answer my question. I have not installed QuickTime on my new PC because of the issues I mentioned above. My spouse has v7.6 installed, and I am trying to decide whether to update it before uninstalling it entirely. I haven’t decided yet whether to use VLC Media Player or Media Player Classic with Shark007’s codec pack as the main player on both PCs. I will wait for VLC v1.0 to be released to see if it handles older RealVideo files.

ok thanks.
maybe having different safe levels for applications so that a media player cant right to the registry other then it’s own keys. and create files other then temp files in the temp folder would that work?

CIS is very flexible. If you are willing to tolerate some pop-ups during training for the media player, you can achieve better security, without the need to change Defense+ to Paranoid Mode. Change the default action to Ask for all the access rights on the media player. Play some trusted media files, respond to pop-ups with Allow and Remember. After you feel that it is trained, examine the allowed exceptions for each of the access names. Decide whether to change the default action for each access name to Allow or Block given the allowed exceptions. For example, if there are no exceptions, Block will probably work. You may need to manually change certain exceptions to be more general. At this point, you have better security than the default for Defense+ Clean PC Mode or Safe Mode, which allows almost all access rights.

Well as far as I know I’ve never gotten any videos via email so I guess I’m safe at that end and I rarely ever download videos. I mostly just watch videos on youtube.

ok thanks

Well since no one had answered your question I guess I will answer it for you. I have another pc with XP SP3 on it and I installed the latest quicktime on it and the dll file which you speak of was not modified when the new version of quicktime was installed.

Edit: In regard to something else you mentioned in the following quote:

You mentioned about videos being downloaded could still compromise your security. The way I see it is wouldn’t those videos be malware anyways so wouldn’t an antivirus or antispyware eventually pick up such a file as having a virus/malware in it if scanned?

Thanks for answering!

Here is an interesting statement that may answer your question:

On a PC that already had Microsoft’s workaround applied (http://support.microsoft.com/kb/971778), I installed QuickTime v7.6.2. Next, I changed Firefox to associate MOV files with the QuickTime plug-in, and I played an MOV file from this site: http://www.stockshots.com/SampleFootage.htm
The QuickTime plug-in played the video OK within Firefox. I confirmed that the QuickTime install did not add back the removed registry keys.

Since QuickTime works on MOV files even though the quartz.dll file is disabled in the registry, my conclusions are the following:

1. QuickTime v7.6.2 doesn’t use quartz.dll
2. Installing QuickTime v7.6.2 doesn’t protect other DirectShow players such a Windows Media Player and Media Player Classic.
3. The Microsoft workaround doesn’t prevent QuickTime Player from playing MOV videos.
4. Applying Microsoft’s workaround and installing the VLC Media Player protects against the quartz.dll vulnerability, allows playing MOV videos and allows the QuickTime Player to be uninstalled to avoid other vulnerabilities and performance impacts.

Brilliant deductions dude. Thanks ;D

SilentMusic7 perhaps this method is an alternative in that you set defense+ and firewall to block the other media players while allowing just VLC privilege.

I believe that Defense+ is sufficient to block Windows Media Player, with its yet-to-be-discovered vulnerabilities. In other forums, users have advised against uninstalling Windows Media Player totally because parts of it are used by other media players.

For other media players, why not uninstall them instead of blocking them with Defense+?

By the way, VLC Media Player v1.0.0 has been released. I tested it on all clip versions from this site:

It works! Therefore, I don’t need Real Player any more! Good riddance to this bloated spyware.

Thanks for the notification man. Just realized they have a new version out.

Here is a forum where people compare different players for compatibility, PC resources and quality:

VLC is one of the best for compatibility with many formats and broken files. The main multimedia problem I have on my two laptops is too-soft audio with the built-in loudspeakers, even with all the volume controls at maximum. VLC supports increasing loudness to 200%, which does not produce any audible distortion on 95% of the audio and video files I have tried. I tolerate VLC’s slow loading to get usable loudness and no-fuss compatibility. If I watched full-length videos on my PC, video quality would be more important, and I would try Media Player Classis HomeCinema (MPC-HC) with a codec pack, such as here:

From a security point of view, I recommend avoiding the often-targeted-by-malware mainstream players like Windows Media Player, QuickTime and Real Player; and instead use open-source players like VLC, MPC and MPC-HC or maybe GOM Media Player. One strategy would be to associate VLC with all possible file extensions in Windows Explorer, associate VLC with all possible MIME types and file extensions in Firefox, and open full-length videos from within a high-quality player like MPC-HC.

While VLC Media Player has successfully played every multimedia file I have tried, I found many web pages with embedded multimedia that did not work initially. Here is what I have done so far…

My first goal is to avoid using Internet Explorer (IE), Windows Media Player (WMP) and the WMP browser plug-in since these are the most popular and most targeted by malware. My second goal is to avoid installing commercial media players (like Real Player and QuickTime) that run background processes, embed IE within, send unknown info to their home server and potentially install spyware (like WeatherBug). My third goal is to avoid installing other media players using the DirectShow framework (Media Player Classic) because they use vulnerable components from WMP. See DirectShow - Wikipedia

I use the Firefox browser because it supports the Adblock Plus extension for improved security and faster surfing. I have WMP 11 installed, but I disabled the WMP and Microsoft DRM plug-ins within Firefox. With no other media players installed besides VLC (including its Firefox plug-in), VLC successfully plays all media at Enjoy RealPlayer from RealNetworks everywhere
MP3 and Ogg streams at http://www.wxyc.org/programming/listen/help/
WMP 9 test at http://plugindoc.mozdev.org/testpages/index.html
Non-embedded media except MIDI at http://home.att.net/~cherokee67/mediatests.html

After adding QT Lite from http://codecguide.com/qt_lite.htm, Firefox successfully plays MIDI, QuickTime movies and embedded WAV at http://home.att.net/~cherokee67/mediatests.html
JPEG 2000 and TIFF images at http://plugindoc.mozdev.org/testpages/index.html

After adding the MediaWrap Firefox extension from https://addons.mozilla.org/en-US/firefox/addon/1879, Firefox successfully plays the embedded WMV at http://home.att.net/~cherokee67/mediatests.html
WMP 11 test at http://plugindoc.mozdev.org/testpages/index.html
Note that the MediaWrap support page is in Chinese, which can be translated using http://translate.google.com/

After adding Adobe Reader Lite from http://www.majorgeeks.com/Adobe_Reader_Lite_d5915.html, Firefox successfully displays the PDF test at http://plugindoc.mozdev.org/testpages/index.html

After adding Flash Player from http://get.adobe.com/flashplayer/, Firefox successfully plays Flash at http://www.adobe.com/software/flash/about/
Streaming Flash videos at Video News - CNN

After adding Shockwave Player from http://get.adobe.com/shockwave/, Firefox successfully plays Shockwave at http://www.adobe.com/shockwave/welcome/

After adding Java (offline) from http://www.java.com/en/download/manual.jsp, Firefox successfully plays Java at http://www.javatester.org/enabled.html
http://www.java.com/en/download/help/testvm.xml
http://www.java.com/en/download/installed.jsp?verify

After adding Real Alternative Lite from http://codecguide.com/about_real.htm, Firefox successfully plays the embedded RealPlayer video at http://home.att.net/~cherokee67/mediatests.html
Since embedded RealPlayer content is rare these days, most users would not notice if Real Alternative Lite was omitted (except for lower memory and disk space usage). Note above that non-embedded Real Player works fine without Real Alternative Lite.

The only site I am having a problem with in Firefox is the steaming MP3 file at http://home.att.net/~cherokee67/mediatests.html
The page source contains a link to http://home.att.net/~cherokee68/mp3stream.m3u, which launches VLC and plays OK. The page source shows two MIME types: application/x-mplayer2 (handled by the VLC plug-in) and application/x-oleobject (ActiveX, not listed by any plug-in within about:plugins). Since the embedded WMV file on the same site has the same MIME types and plays OK in Firefox, I don’t understand why this streaming MP3 fails. Especially since streaming MP3 works at http://www.wxyc.org/programming/listen/help/
I would appreciate any help folks can offer.

Other than this one anomaly, Firefox with VLC and the above plug-ins are playing all media on all web pages I have tried. I may load Media Player Classic (maybe Homecinema version) if I want to watch long videos on my PC where I want the best quality. My understanding is that, with the WMP plug-in disabled in Firefox, no web content will automatically launch MPC. This gives some protection again vulnerabilities in the DirectShow framework, like the one that inspired this topic.