In a perfect world, we’d be able to choose one media player for everything. In the real world, we need two or three media players to handle the mix of incompatible and proprietary formats available on the Web. So, although I don’t use QuickTime often, I keep a copy installed so that I can see video clips on sites that offer only Apple formats.
If you use QuickTime on Windows or a Mac and you haven’t updated it since January 10, you’re at serious risk. But be careful when you go looking for that security update or you may get more than you bargained for.
On January 10, Apple released a critical update for QuickTime designed to fix five separate vulnerabilities, any of which can result in “arbitrary code execution” if you simply view a specially crafted image file (QTIF, GIF, TIFF, or TGA) or a similarly doctored media file. The vulnerability exists on Windows XP, Windows 2000, and Mac OS X. Sounds at least as serious as the WMF exploit that Microsoft was pilloried for, and indeed it is. (It took 71 days for Apple to come up with the patch after this vulnerability was reported, by the way, but that’s a topic for another day.)
Being a security-conscious sort, I checked my version of the QuickTime Player and determined that it was hopelessly out of date. I had version 6.5.1 installed; these vulnerabilities are fixed in version 7.0.4. I tried the Update Software option from the QuickTime Player menu, but when it finished its quick download and installation I was only at version 6.5.2, and it told me I was completely up to date. So I headed over to Apple’s QuickTime site and was greeted with this page:
I’ve circled the two areas of interest on this page. See that big blue Free Download Now button? That’s what most people will click. I almost did, until I noticed the wording at the top of the page: “QuickTime 7 with iTunes 6.” I don’t want iTunes! But I need that security update. Maybe I should read the security bulletin again. Oh, dear. Right there at the bottom, it has the bad news:
APPLE-SA-2006-01-10 QuickTime 7.0.4:
For Mac OS X v10.3.9 or later
The download file is named: “QuickTimeInstallerX.dmg”
Its SHA-1 digest is: a605fc27d85b4c6b59ebbbc84ef553b37aa8fbcaFor Windows 2000/XP
The download file is named: “iTunesSetup.exe”
Its SHA-1 digest is: 1f7d1942fec2c3c205079916dc47b254e508de4e
Well, that’s odd. If I own a Mac, I can just get the QuickTime installer, but because I use Windows I have to install iTunes? Doesn’t seem right.
Hey, what’s that tiny link at the bottom of the QuickTime downloads page? The one that reads QuickTime Standalone Installer? Clicking that link from Internet Explorer installs the QuickTime ActiveX control. Clicking it from Firefox downloads a file called … QuickTimeInstaller.exe. No iTunes required. (Update: The QuickTime ActiveX control only loads in IE if it’s not already installed. The download link leads to the QuickTime installer, regardless of browser.)
This is a crappy way to do business, Apple. The security bulletin should reference the QuickTime installer, not just the iTunes setup file that happens to include the QuickTime Player. And if someone comes to your site looking for a critical security update, don’t push extra software on them.
Years ago, Real used to pull this same crap with their RealPlayer. When you visited the download page, you were steered into the trial version of Real’s subscription-based software, and it took a treasure map and a Sherpa to find the tiny link to the free player. It took a few thousand complaints, but Real finally wised up. Go to Real.com now and you’ll see two buttons of equal size: one offers a 14-day trial of its premium SuperPass product; the other is labeled Free Download. No magnifying glass required.
I never thought I’d say it, but Real is setting the standard when it comes to downloads. Apple, clean up your act.
Update: A visitor from Down Under comments that Real.com is up to its old tricks on sites outside the United States. After telling Real.com that I’m from Australia, I can see what he’s talking about. As a point of reference, here’s what the main U.S. page looks like:
Not sure what real.com you’re looking at. But when I visit their site, there are two buttons – “Download Now Free – 14 Day Trial”, for exactly the same thing. There is a small text-only link, in grey, for “Free RealPlayer”.
Even when you do click on the “Free RealPlayer” link, they still highlight a $19.99 product.
Real has not improved.
The legality is dubious (actually, probably downright illegal). The risk is higher than you might like. But if you need to play Real or QuickTime media and detest their players and packages, consider Real Alternative and QuickTime Alternative. These are packages that contain simply the core playback components for that media type (taken from Real and Apple’s distributions), DirectShow wrappers to make it possible to load the media into any DirectShow-supporting media player (like, say, WMP), and Media Player Classic, which uses a WMP 6.4-like interface.
You’re good, as I was never able to find the link on the page. I always ended up googling for the standalone download (or Apple has recently added it to the page).
Apple has been pushing the iTunes+QuickTime bundle for a while now (link).
It stunk then and smells even worse now… Now I have to instruct my family and friends how to find the standalone version, answer questions like “what is iTunes and why do I want it when I don’t listen to music on my PC” and then back out the Windows services and Startup crud that iTunes installs…
I don’t mind the bundling as much as I mind the fact it’s pretty much being forced on us. It just feels deceptive slimy.
This bundling BS craze will not end soon enough for me…
Ed: Old news really. It’s been like that since QuickTime 7 was released for Windows back in September 2005.
Greg: The standalone download has been available since version 7 was released. I’m not sure how the bundle is “pretty much being forced on us” when a standalone version is available? Could Apple do better job highlighting that? Sure, but no one is forcing anything on you.
Mousky, the problem (and the news) is that the security bulletin for a critical update tells Apple customers that they have to get the iTunes bundle. It doesn’t mention a standalone installer.
Ed, thanks for the update about real.com. Before posting, I did change the version to English-United States and saw the same thing as English-Australia – hence my comment. I notice though that after changing the location to United States, it seems to still be showing an “international” page – probably why I can’t see what you show above.
I’m another Australian, and I HATE Real. Their site maze sucks, they have a terrible corporate history. Yuck. Thank goodness for Real Alternative.
Simon, I had the exact same experience until I deleted all real.com cookies. One visit to the international site was enough to lock in a view like you describe. Ugh.
Pingback: Windows Tips and Tricks
If you want to avoid apple’s bloated software altogether, you can download “Quicktime Alternative” and get the quicktime codecs and run them in media player classic.
I decided to install Quicktime. I didn’t pay attention at the time, and noticed that I had downloaded the iTunes installer. I decided to go for it and install it, but did a custom install to make sure that iTunes did absolutely nothing with any of my media files. After installing, I looked, and sure enough, I could uninstall iTunes without uninstalling Quicktime at the same time, so I did that without even having run iTunes once on my computer.
I really think that is shabby of Apple. It’s on par with most of my experiences with Apple though, so…
Had the same experience when a video required an update to quicktime to run. I only use QT where there is no choice but got the combo and removed itunes after the install as didn’t realise there was a separate install. Reading the comments it seems like Apple can do no wrong in some eyes.
I dislike the way Apple (a) distributes its “free” software, and (b) makes everything so hard to use. Ed’s covered point (a), let me say a few words about (b).
My teenage daughters received iPods for Christmas, and naturally turned to Dad for help loading songs onto their new toys. Every other device I’ve ever seen allows a Windows-type file system analogy, in which the device is represented by a virtual drive, and you can drag files from one directory window to another. Apple makes you go through the iTunes software, which shows file lists, but does not make it clear how to transfer files. You have to check all files in the iTunes library which you want on your iPod (even the ones which are already there), then click some button to transfer the files. The file must be checked in the iTunes list, even if it’s already on the iPod, or it will be removed from the iPod in some twisted “Refresh” operation.
Apple is still living off its 20-year-old reputation as being easier to use than Windows, and actually, pre-Windows, machines (I bought a Mac Plus in about 1986, on which I wrote my doctoral dissertation). But most third party software hasn’t kept up in Macs. My kids’ schools use Macs, and the kids come home and complain that they can’t do X, which is so easy on our XP machine at home.
OT: Mad TV last night had a spoof ad for a feminine hygiene product called the iPad; hilarious.
Hey Ed! I went to the QuickTime page on apple that you linked, and I clicked on the ‘QuickTime Standalone Installer’ (also circled in the photo in your entry) both in IE and Firefox. In both cases I was directed to a stand-alone app download page! So I didn’t get the ActiveX download that you mentioned.
Nevertheless, I certainly don’t like this ‘Real’-ish behaviour! Bundling QuickTime with iTunes, iTunes with QuickTime! Starts to put people off after some time!
Jon, I can’t stand iTunes. Take a look at Anapod Explorer from Redchair Software… http://redchairsoftware.com/anapod/
Yes, it’s 3rd party and it’s not free, but it’s a great interface for the iPod.
Funnily enough, Mac users just get QuickTime to download – iTunes isn’t bundled in. But then QuickTime and iTunes have just got a lot bigger for Mac users since they’re now universal binaries and include code for both x86 and PPC processors. And anyway, Mac OS X’s software update looks after iTunes and QuickTime automatically so it’s rare that you’ll ever have to manually download them.
I don’t mind Apple bundling the two together since I use both on my Windows laptop (well, I use iTunes and you need QuickTime to run iTunes) but the issue here is that the bundle is the default, and that’s wrong. Apple should primarily offer just QuickTime and then have the QuickTime+iTunes bundle available further down the page for those who actually want it.
As for real.com on a Mac, most of the page is about RealPlayer for Mac with Surepass but there is a big blue ‘Free Player’ button. You are still supposed to register with real.com before downloading though. Unfortunately Mac users have to install RealPlayer for playing RealMedia files as there are no alternatives yet, though the Mac version of RealPlayer is a much more pleasant experience than the Windows client.
Wow, thanks for your sharp-eyed sleuthing. I haven’t updated Quicktime because of the iTunes with it. I didn’t spot that installer link. It just looked like part of a list that didn’t catch my attention when I was there before – it’s deliberate obscurity.
PeteK: Thanks for the link to Anapod. I’m going to check it out.
Pingback: TechBlog
Scott Shaw said it best, Quicktime Alternative or VLC Media Player