Description
Two security vulnerabilities have been reported in QuickTime for Windows. How do Portfolio 1.x and Portfolio 2.x Windows use QuickTime? Can I remove it from my server?
Solution
Portfolio 1.x and Portfolio version 2.1.2 and earlier use QuickTime for Windows to generate previews and thumbnails for Adobe Photoshop PSD files; we are investigating other options for handling PSD files.
The reported vulnerabilities relate to QuickTime’s handing of certain data in MPEG-4 video files. The vulnerabilities require a user to open a malicious file using QuickTime, which would require direct access to the server itself. Portfolio does not use QuickTime to process MPEG-4 video files so there is little chance of an attacker using Portfolio to compromise the server.
Portfolio 2.x users can upgrade to Portfolio 2.1.4 or later; this removes the dependency on Quicktime for Windows. You can download the latest installer for Portfolio 2.x from the product suppport page: http://www.extensis.com/support/
Once you have upgraded, you can uninstall Quicktime for Windows. To uninstall Quicktime, see the following article: https://support.apple.com/HT205771
If you are not cataloging PSD files in Portfolio 1.x and cannot upgrade to Portfolio 2.x, you can uninstall QuickTime from the server. Without QuickTime installed, Portfolio will catalog other file types normally, and existing records for PSD files will be unaffected. If you make changes to a PSD file, regenerate JPEG previews and thumbnails for PSD files, or try to batch convert PSD files to another format, you may get a generic file icon or a highly-pixellated image. If you need high-resolution previews for PSD files and cannot have QuickTime installed, you can apply a custom preview through Portfolio Web.
For more information on the QuickTime for Windows vulnerabilities, see the following articles:
- http://zerodayinitiative.com/advisories/ZDI-16-241/
- http://zerodayinitiative.com/advisories/ZDI-16-242/
- http://www.adobe.com/devnet/video/articles/mp4movieatom.html