For years, Apple QuickTime has hovered between a nuisance install bundled with iTunes and a necessary application for various third-party software tools, some of which rely on QuickTime for audio or video playback. The US government and TrendMicro are both recommending that all Windows users uninstall QuickTime immediately thanks to critical vulnerabilities that Apple has no intention of fixing.
[O]ur Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability. And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.
We’re not aware of any active attacks against these vulnerabilities currently. But the only way to protect your Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it. In this regard, QuickTime for Windows now joins Microsoft Windows XP and Oracle Java 6 as software that is no longer being updated to fix vulnerabilities and subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it.
TrendMicro goes on to write that both exploits are remote code execution vulnerabilities that would require an end user to actively visit a malicious webpage or open a malicious file to exploit them. US-CERT has released its own notification, calling on Windows users to uninstall the software (Mac users are not affected).
QuickTime is a lot like Java, in that you probably don’t need to have to it installed. If you do need it, however, it may prove difficult to replace, and Apple isn’t currently helping matters. The company has not updated the QT landing page to inform users that the software is deprecated or no longer maintained, and the Apple Software Update tool is still pushing QuickTime to end users.
There’s also the fact that this disclosure was handled by TrendMicro, not Apple itself, and the company with the critical vulnerability really ought to be doing more to reach out to end-users and inform them of problems.
Users who can’t uninstall QuickTime for work-related reasons don’t currently have much recourse. HP TippingPoint IPS customers are reportedly protected, but conventional antivirus software won’t stop this exploit. If you have to use QuickTime, we’d recommend double-checking all QT files that you work with and being careful to avoid playing back any material you can’t authenticate. With QuickTime for Windows being phased out, it’s important to find alternative software solutions for the long term.