US government tells Windows users to uninstall QuickTime

Richard Gaskin ambassador at
Fri Apr 15 11:32:40 EDT 2016

Paul Dupuis wrote:
> On 4/15/2016 7:37 AM, Tiemo Hollmann TB wrote:
>> I have the first customers following this advice and tell me that my
>> software is completely out of date. I am loosing customers.
>> When will LiveCode provide the new Mac & Windows compatible media player?
>> It was one of the crowdfunding aims and I haven't heard much about it
>> anymore.

Since Windows remains the world's most popular desktop OS by an order of 
magnitude over the second-leading OS, I strongly support anything that 
brings reliable video playback to that platform.

If Linux can come along for the ride so much the better, and ultimately 
the Kickstarter goal of restoring and enhancing video playback on all 
platforms will happen at some point.

But if a shorter term workaround is needed, favoring Windows is not a 
mistake.  No matter what OSes we use to develop on, for most of us the 
majority of our income comes from Windows.

And because our revenue as LiveCode developers is what provides revenue 
for LiveCode Ltd., Windows is the most important platform for the company.

> This discovered vulnerabilities are real, but I can't help but wonder
> how much of this statement from Homeland Security is retaliatory for
> Apple's stand against the FBI. DHS has rarely issued such a strongly
> worded statement for other end of life software with known vulnerabilities.

People are indeed sometimes petty, and all human organizations are prone 
to pettiness.  But I've known a few FBI employees and my impression is 
they're up against the same challenges of working in any other large 
organization, and simply don't have time to devote to pettiness for its 
own sake.

The FBI and DHS regularly release vulnerability reports, such as last 
year's two reports on vulnerabilities in Java.  Indeed, the Java reports 
should make it clear that this ongoing practice of reporting 
vulnerabilities is far from vendor-specific: many federal agencies have 
an almost disproportionately favorable view of Oracle products, but that 
doesn't stop them from reporting vulnerabilities that benefit the 
general public.

Every software will eventually reach end-of-life (EOL), and when it does 
responsible vendors notify their customs of the implications and options 
for upgrading.

This vulnerability notice would ideally be coming from the vendor, and 
be unnecessary from any third party.

For a company whose marketing is often focused on security, it's been 
surprising to many that Apple appears to have a policy of not explicitly 
notifying their customers when software reaches EOL.

Consider Snow Leopard:  when it stopped receiving critical security 
updates this had to be reported by the tech press, because Apple 
provided no notice for their customers:

Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable 
to attacks

Microsoft gives many years' advance notice of OS EOL; Ubuntu lets you 
know the EOL date for every version even before it's released.

Apple would do well to join the other OS vendors in being more 
forthcoming with its customers about EOL and its implications.

> What Apple should do in response just to annoy DHS and the FBI is patch
> Quicktime for Windows.

Personally, I believe Cook's response to the FBI requests has been not 
only appropriate, but ultimately most beneficial for the FBI, whether 
the FBI realizes it or not.

We've done government-mandated security limits here in the States 
before, back in the '90s, and we're still paying the price for that in 
vulnerabilities that affect even federal systems today.

Cook noted that what the FBI was asking for simply doesn't exist at this 
time, and that they're disinclined to create it.  Ultimately, since all 
systems are imperfect, the FBI found another way to solve their problem 
and both teams get to save face.

On this issue there may be other reasons why it might benefit Apple to 
deliver another round of security enhancements for QT/Win, but mostly 
for the benefit of their customers.

If they stick with EOL for that package, let's hope at very least they 
start informing their customers more clearly about the implications of 
EOL for their software going forward.  Their current policy of relative 
silence on EOL is as unnecessary as it is damaging.

  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  Ambassador at      

More information about the Use-livecode mailing list