Editing QuickTime (section)

== Bugs and vulnerabilities ==
QuickTime 7.4 was found to disable [[Adobe Systems|Adobe]]'s video compositing program, [[Adobe After Effects|After Effects]].<ref>{{cite web
 | title      = Beware of the new QuickTime 7.4
 | url        = http://www.videocopilot.net/blog/?p=130
 | last       = Kramer
 | first      = Andrew
 | date       = January 18, 2008
 | access-date = May 14, 2010
 | publisher  = Video Copilot
}}</ref><ref>{{cite magazine
 | title      = QuickTime 7.4 breaks After Effects and Premiere
 | url        = http://www.macworld.com/article/131809/article.html
 | date       = January 25, 2008
 | last       = Dalrymple
 | first      = Jim
 | magazine  = [[Macworld]]
 | access-date = May 14, 2010
}}</ref><ref>{{cite web
 | title      = Don't update to QuickTime 7.4
 | url        = http://blogs.adobe.com/keyframes/2008/01/dont_update_to_quicktime_74.html
 | date       = January 21, 2009
 | last       = Coleman
 | first       = Michael
 | publisher  = Adobe Systems Incorporated
 | access-date = May 14, 2010
}}</ref> This was due to the [[Digital rights management|DRM]] built into version 7.4 since it allowed movie rentals from iTunes. QuickTime 7.4.1 resolved this issue.<ref>{{cite magazine | title= QuickTime 7.4.1 fixes After Effects problem| url=http://www.macworld.com/article/131990/2008/02/quicktime.html|magazine=[[Macworld]]}}</ref>

Versions 4.0 through 7.3 contained a buffer overflow bug which could compromise the security of a PC using either the QuickTime Streaming Media client, or the QuickTime player itself.<ref>{{cite web | title= Apple QuickTime RTSP Content-Type header stack buffer overflow.| url=http://www.kb.cert.org/vuls/id/659761 | access-date=December 6, 2007}}</ref> The bug was fixed in version 7.3.1.

QuickTime 7.5.5 and earlier are known to have a list of significant vulnerabilities that allow a remote attacker to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) on a targeted system. The list includes six types of buffer overflow,<ref>{{cite web | url=https://nvd.nist.gov/vuln/detail/CVE-2014-1244 | title=CVE-2014-1244 Detail | date=February 26, 2014 | publisher=[[National Institute of Standards and Technology]] | work=National Vulnerability Database | location=[[Gaithersburg, Maryland]] | access-date=June 30, 2018 }}</ref><ref>{{cite web | url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1246 | title=CVE-2014-1246 Detail | date=February 26, 2014 | publisher=National Institute of Standards and Technology | work=National Vulnerability Database | location=Gaithersburg, Maryland | access-date=June 30, 2018 }}</ref><ref>{{cite web | url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1247 | title=CVE-2014-1247 Detail | date=February 26, 2014 | publisher=National Institute of Standards and Technology | work=National Vulnerability Database | location=Gaithersburg, Maryland | access-date=June 30, 2018 }}</ref><ref>{{cite web | url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1248 | title=CVE-2014-1248 Detail | date=February 26, 2014 | publisher=National Institute of Standards and Technology | work=National Vulnerability Database | location=Gaithersburg, Maryland | access-date=June 30, 2018 }}</ref><ref>{{cite web | url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1249 | title=CVE-2014-1249 Detail | date=February 26, 2014 | publisher=National Institute of Standards and Technology | work=National Vulnerability Database | location=Gaithersburg, Maryland | access-date=June 30, 2018 }}</ref><ref>{{cite web | url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1251 | title=CVE-2014-1251 Detail | date=February 26, 2014 | publisher=National Institute of Standards and Technology | work=National Vulnerability Database | location=Gaithersburg, Maryland | access-date=June 30, 2018 }}</ref> data conversion,<ref>{{cite web | url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1250 | title=CVE-2014-1250 Detail | date=February 26, 2014 | publisher=National Institute of Standards and Technology | work=National Vulnerability Database | location=Gaithersburg, Maryland | access-date=June 30, 2018 }}</ref> signed vs. unsigned integer mismatch,<ref>{{cite web | url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1245 | title=CVE-2014-1245 Detail | date=February 26, 2014 | publisher=National Institute of Standards and Technology | work=National Vulnerability Database | location=Gaithersburg, Maryland | access-date=June 30, 2018 }}</ref> and uninitialized memory pointer.<ref>{{cite web | url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1243 | title=CVE-2014-1243 Detail | date=February 26, 2014 | publisher=National Institute of Standards and Technology | work=National Vulnerability Database | location=Gaithersburg, Maryland | access-date=June 30, 2018 }}</ref>

QuickTime 7.6 has been found to disable Mac users' ability to play certain games, such as ''[[Civilization IV]]'' and ''[[The Sims 2]]''. There are fixes available from the publisher, [[Aspyr]].<ref>{{cite web|title=QuickTime 7.6 Fixes |url=http://support.aspyr.com/index.php?x=&mod_id=2&root=239target= |url-status=dead |archive-url=https://web.archive.org/web/20090304114157/http://support.aspyr.com/index.php?x=&mod_id=2&root=239target= |archive-date=March 4, 2009 }}</ref>

QuickTime 7 lacks support for H.264 Sample Aspect Ratio.<ref>{{cite web|title=Using MEncoder to create QuickTime-compatible files|url=http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-quicktime-7.html}}</ref> QuickTime X does not have this limitation,{{Citation needed|date=August 2011}} but many Apple products (such as [[Apple TV]]) still use the older QuickTime 7 engine. [[iTunes]] previously utilized QuickTime 7, but as of October 2019, iTunes no longer utilizes the older QuickTime 7 engine.<ref>{{cite web |title=Download QuickTime 7.7.9 for Windows |url=https://support.apple.com/kb/DL837 |website=Apple }}</ref>

QuickTime 7.7.x on Windows fails to encode H.264 on multi-core systems with more than approximately 20 threads, e.g. HP Z820 with 2× 8-core CPUs. A suggested solution{{By whom|date=April 2016}} is to disable hyper-threading/limit CPU cores. Encoding speed and stability depends on the scaling of the player window.{{Citation needed|date=April 2016}}

On April 14, 2016, Christopher Budd of [[Trend Micro]] announced that Apple has ceased all security patching of QuickTime for Windows, and called attention to two Zero Day Initiative advisories, ZDI-16-241<ref>{{cite web | url=http://zerodayinitiative.com/advisories/ZDI-16-241/ | title=(0Day) Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerability | date=April 14, 2016 | website=Zero Day Initiative | series=Advisories | publisher=[[TippingPoint]] | access-date=April 14, 2016 }}</ref> and ZDI-16-242,<ref>{{cite web | url=http://zerodayinitiative.com/advisories/ZDI-16-242/ | title=(0Day) Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability | date=April 14, 2016 | website=Zero Day Initiative | series=Advisories | publisher=TippingPoint | access-date=April 14, 2016 }}</ref> issued by Trend Micro's subsidiary [[TippingPoint]] on that same day.<ref name=TrendMicro /> Also on that same day, the [[United States Computer Emergency Readiness Team]] issued alert TA16-105A, encapsulating Budd's announcement and the Zero Day Initiative advisories.<ref name=US-CERT /> Apple responded with a statement that QuickTime 7 for Windows is no longer supported by Apple.<ref name="Windows" />