Apple’s QuickTime used to be a common install for many Windows users – thanks mostly to iTunes – but it has been a long time since it was a prerequisite for playing video and audio files on Windows-based computers.
In recent days, Trend Micro discovered two critical flaws in the Windows build of QuickTime and reported them to Apple. Apple responded to Trend Micro explaining that they won’t be fixing the bugs, said they were no longer supporting it, and recommended uninstalling QuickTime for Windows.
Christopher Budd from Trend Micro stated “Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.”
Apple began winding down support for QuickTime 7 on Windows in 2013 when the stopped offering tools to third-party developers. The last update for Windows was some nine months ago, and in January this year, they removed QuickTime browser plug-ins on Windows. However, there appears to have been no general warning to users that support is being dropped.
The vulnerabilities identified – ZDI-16-241 and ZDI-16-242 – are heap-corruption-based remote code execution vulnerabilities. They allow a hacker to hijack a victim’s computer and infect it with malware, simply by tricking them into opening a malicious file or web download.
Budd explained that they were not aware of any attacks that had taken advantage of the QuickTime weaknesses, but the best defence was to follows Apple’s own advice and uninstall the programs from Windows-powered machines.
The US Computer Security Readiness Team (CERT) – part of the US Department of Homeland Security – agrees. Following Trend Micro’s findings, CERT issued an alert advising Windows users to immediately uninstall QuickTime.
Organisations can mitigate the risks associated with obsolete software by implementing a Standard Operating Environment (SOE) across the organisation. SOE is a standard implementation of an operating system and its associated software. Combined with the correct policies, employees can be restricted in what they can, and can not, install.
You can find information on how to uninstall QuickTime for Windows from the Apple website at https://support.apple.com/HT205771.
For more information, contact the blueAPACHE account team.