Quicktime and the Trouble with Legacy Software

Last week Trend Micro, an antivirus company among other things, announced that they had uncovered two security vulnerabilities in Apple’s Quicktime for Windows product. However since Apple was no longer supporting this product* Trend Micro urged users to uninstall Quicktime as soon as possible. Of course what followed was a bit of a firestorm. Internet trolls asserting that Apple is really bad at security, clients sending panicky emails because they read on some news outlet that Quicktime leaves their computer vulnerable and the Dept of Homeland Security says…

All in all Apple did a reasonable job of handling the end of life of Quicktime for Windows. Developers have known since 2009 that Quicktime for Windows was was not appropriate for new projects and old products should be updated to use native support for Quicktime formats. In January of 2016 when Apple released their final security fixes for Quicktime on Windows they also had the update uninstall the Quicktime web browser plugin. It is hard to imagine Oracle taking the step of uninstalling the Java web browser plugin though audio and visual content abound on the internet while Java content is scarce. It has been my experience that it is far more common to find Java used to run a program installed on a computer than to assist displaying content from the internet. But the hype as always has been disproportionate.

At MePush, it has been a long time since we installed Quicktime for Windows as a standalone product on Windows. When I started in 2010, Quicktime for Windows was still required by iTunes though when iTunes no longer needed Quicktime for Windows we started uninstalling it to help cut down on the unending stream of updates. However many software products still require Quicktime for Windows including some current Adobe Creative Suite products. For users of these legacy software packages I applaud Apple’s decision to remove the web plugin which helped prevent accidental exploitation. But these legacy packages make my life as an IT person difficult because I can’t just issue a blanket statement that all clients should uninstall Quicktime for Windows. Rather, I have to be cautious and inform clients that most users should be okay to go ahead and uninstall Quicktime for Windows though some using especially older software packages may find that software they depend on breaks until Quicktime for Windows or even the entire affected software package is reinstalled.

Yet this is always the trouble with legacy software. Quicktime was incredibly successful. So successful that it’s encoding format became the basis for the .mp3 and .mp4 file formats in near universal use today. But as better ways of handling digital audio and video emerged software vendors were slow or reluctant to take advantage of them. Sometimes because it was not clear that the new methods were better. Thus when one software package is finally retired your IT person is often left pointing fingers and working around the issues left behind.

So January 6, 2016 was a sad day for me having used, worked with and depended on Quicktime for almost 20yrs. And while as a developer I now have to worry about every platform doing things differently I also know that those ways benefit from hardware acceleration and get their updates along with the OS so I don’t have to worry about slow Quicktime performance or shipping a vulnerable version of Quicktime with my product. In the end the user benefits and we will forget the pain much as we have forgotten how hard it was to get a printer to work in Windows 2000, how ugly Windows XP was or how hard it was to do simple things like set the clock in Windows Vista.

* I am only talking about the Quicktime for Windows in this post. The Mac OS media codec and default video play back utility still bear the Quicktime moniker though they are a significantly different and still supported product.