If you have Apple QuickTime installed on your Windows PC, now is the time to remove it. There are known vulnerabilities that can be exploited relatively easily, and the software is no longer being supported by Apple.
A public statement has recently been issued by US-CERT, part of the Department of Homeland Security, urging anyone using QuickTime for Windows to remove the product immediately. This is due to the fact that Apple have ceased development and are therefore no longer deploying security updates for the software. This statement was triggered after Trend Micro’s Zero Day Initiative recently revealed two critical vulnerabilities in QuickTime for Windows: ZDI-16-241 and ZDI-16-242.
“These two vulnerabilities are considered ‘remote code execution’ vulnerabilities, which means a miscreant could get the victim to click on a link or visit a website, and remotely hack into the computer without ever physically being in front of the computer,” warns Dodi Glenn, VP of cyber security at PC Pitstop. “While we have yet to see these vulnerabilities being used in the ‘wild’, our experience tells us that it won’t be long before they are bundled in the majority of exploit kits being sold on the underground marketplace.”
The US-CERT advisory states, “Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”
Sanjay Ramnath, Senior Director of Security Product Management for Barracuda, explains, “While Apple has every right to discontinue any of its products, it should be done so in a way to limit risk to its users. Unfortunately, given how widespread the use is, pulling the plug without pre-announcement and without fixing known problems causes significant risk.”
“Unfortunately, companies discontinue products all the time. QuickTime for Windows has been around since the early 90s and I think was the first piece of Windows software released by Apple. However, since its feature set has been eclipsed by other programs over the years it sort of makes sense to discontinue it,” states Cris Thomas, Strategist for Tenable Network Security. “In fact, for most users there is no need for QuickTime at all. It is no longer required by iTunes and web video is usually served by HTML 5 these days.”
The sudden expiration of support for QuickTime means that patches or security updates for known or reported vulnerabilities will no longer be issued by Apple. This includes the two vulnerabilities described in the Trend Micro Zero Day Initiative. This announcement suggests that Windows machines using QuickTime may be increasingly vulnerable to zero-day attacks.
To further complicate matters, any application that relies on QuickTime will need to change. For the majority of organisations, this change will take time, which will impact productivity and therefore put them at even greater risk. Adobe has already issued guidance stating that their Adobe Creative Cloud customers may run into issues when uninstalling QuickTime.
There is some good news according to Tenable’s Thomas. “Since the current version of QuickTime for Windows 7.7.9 removed the browser plugin anyway there is no way for an attack to automatically compromise a system with a simple drive-by exploit. The attacker would have to convince a victim to download a specially crafted file and then get them to open it in QuickTime.”
Ramnath stresses, “The best defence is often a great offense. Customers should ensure they have layered security to protect against these types of attacks—security solutions that block malicious attachments and links or use other advanced threat detection techniques.”
Discontinuing support for a software product is one thing, but suddenly removing support a program widely used by PC users without even addressing known security vulnerabilities is another matter entirely. Despite Apple no longer supporting QuickTime, they still offer the software for download on their website.
“Since Apple knows these products have critical vulnerabilities they should be made unavailable for download. Leaving them in place is simply gross negligence,” states Thomas.
If you have Apple’s QuickTime installed on your PC, and you have no applications such as Creative Cloud which currently rely on the software, you should remove it from your Windows PC immediately.