Most Classic MYOB® users have received an email from MYOB Australia about QuickTime, including a recommendation that they upgrade or purchase the latest AR2016. Wondering if they also sent an email out to all the AR201x users, as the issue affects them just as much!

The risk is identical - whether you use Classic MYOB® (v19 etc) or AR2016. So I hope MYOB aren't using this as a means of pushing more users to upgrade, but are in fact concerned about the 'risk' to all customers. Thousands of AR2016 users would also have QuickTime installed on their systems - that AR2016 does not rely on QuickTime does not diminish the risk to those users. Has MYOB emailed AR2016 users as well?

So what is QuickTime?
According to Wikipedia 'QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The QuickTime framework provides the following:

• Encoding and transcoding video and audio from one format to another.
• Decoding video and audio, then sending the decoded stream to the graphics or audio subsystem for playback. In OS X, QuickTime sends video playback to the Quartz Extreme (OpenGL) Compositor.
• A 'component' plug-in architecture for supporting additional 3rd-party codecs (such as DivX).'

According to ExtremeTech - 'For years, Apple QuickTime has hovered between a nuisance install bundled with iTunes and a necessary application for various third-party software tools, some of which rely on QuickTime for audio or video playback.'

While used mainly for Video playback and editing etc, it is also used for image (jpeg, BMP etc) viewing/editing etc - this is where the MYOB® connection comes in. Classic MYOB® uses QuickTime when embedding an image into a PDF. Lots of other software also relies on QuickTime, esp for video playback and editing.

Who Needs QuickTime?
There is no escaping the fact that current versions of Classic MYOB (v19 etc) have a reliance on QuickTime when images (such as logos) are involved, nor is there an integrated work around - in other words no easy solution. But who actually needs QuickTime?

Only Classic MYOB® users who use

• 'To Be Emailed' as a delivery method (MYOB generates a file called eSale.pdf or eStatement.pdf and it is automatically attached to an email), and
• if the invoice or statement form has been customised to include an image, for example a logo.

Printing an invoice or statement to a printer with an image does not rely on QuickTime.
Printing an invoice or statement to a PDF file with an image does not rely on QuickTime.

So what is all the fuss about?
According to Wikipedia 'On April 14, 2016, Christopher Budd of Trend Micro announced that Apple has ceased all security patching of QuickTime for Windows, and called attention to two Zero Day Initiative advisories, ZDI-16-241 and ZDI-16-242, issued by Trend Micro's subsidiary TippingPoint on that same day. Also on that same day, the United States Computer Emergency Readiness Team issued alert TA16-105A, encapsulating Budd's announcement and the Zero Day Initiative advisories. Apple responded with a statement that QuickTime 7 for Windows is no longer supported by Apple.'

According to ExtremeTech 'TrendMicro writes: Our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability. And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.

We’re not aware of any active attacks against these vulnerabilities currently. But the only way to protect your Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it. In this regard, QuickTime for Windows now joins Microsoft Windows XP and Oracle Java 6 as software that is no longer being updated to fix vulnerabilities and subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it.

TrendMicro goes on to write that both exploits are remote code execution vulnerabilities that would require an end user to actively visit a malicious webpage or open a malicious file to exploit them. US-CERT has released its own notification, calling on Windows users to uninstall the software (Mac users are not affected). (emphasis added)'

See these links to the Zero Day Initiative releases
ZDI-16-241
ZDI-16-242

both highlighting that:

• TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter
• User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

Layman's analysis:
Reading between the lines, Trend Micro (anti virus software Developer) has a subsidiary that searches for potential vulnerabilities in software so they can update their protection software. They actively seek out and reward 'researchers' who bring vulnerabilities to their attention. When they find or are alerted to something that can be exploited, they update their protection software to protect their customers and they notify the developer of the vulnerability. If the developer does not address the vulnerability, an alert is then issued. This is what triggered all the fuss.

According to this Apple forum post
'Finally, there is no need to panic. There have been no reports of hacks exploiting these vulnerabilities, and even more importantly -- you're only vulnerable if you access tainted content with QuickTime. Just having it installed carries zero risk if you don't use it. And if you're working locally with your own files, you should be just fine -- unless you're already infected.

So, the second word of the day is caution. Do not load unknown QuickTime content from web sites or email attachments that you don't trust. Which is probably a good idea anyway. Now breathe, and have a great day!'


Our Perspective:

• The risk is negligible
• Updated anti virus protection can protect from this risk - as per TippingPoint
• There are no known attacks targetting the vulnerability. It is simply that the developer (Apple) will not be updating the software anymore, same as Microsoft with Windows XP.
• There is more risk using Windows XP than QuickTime (We use both and will not be un-installing QuickTime even though we don't use eSale or eStatements in MYOB®)

There is no risk of MYOB® software causing any problems by using Quicktime. The only risk is if a malicious hacker works out how to exploit the vulnerability and then accesses a computer which has QuickTime installed. This risk applies equally to Classic MYOB® and AR2016 users.

Some Suggestions:

• Keep your anti-virus and anti-malware software up to date
• Don't visit suspect websites or run suspect applications without first scanning with anti virus/malware software.
• Don't open email attachments from unsolicited sources - even if they hold the promise or all sorts of things.
• If you need to use QuickTime for MYOB® eSale and eSstatements, uninstall QuickTime on all computers but one to be used for the emailing.

For those who want to completely eliminate the possibility that a malicious hacker will discover a way to exploit the vulnerability, and will find a way to access your computer which has QuickTime installed, you should un-install QuickTime on all computers - whether you use Classic MYOB® or AR2016 or neither.

If you are a Classic MYOB® user and you un-install QuickTime, to email eSales and eStatement with images, you will need to print them to a PDF driver like CutePDF and then attach to an email.


Update from MYOB - For Australian subscribers, MYOB Australia have released an update to remove the reliance on QuickTime when generating a PDF for emailing - see here.