This week an urgent call to action advising Windows users to uninstall Apple’s Quicktime media player, due to two critical ‘zero day’ vulnerabilities (security weak points which can be exploited by hackers) for which security updates are not being provided by Apple.
Apple has ceased to update the Windows version of Quicktime as of January this year, and no longer intends to provide new updates. Apple is aware of these vulnerabilities, but as the product is deprecated, a security patch will not be released. At present, Apple does still offer Quicktime for Windows for download on their website. Apple’s guidance on the matter is that Windows users should uninstall Quicktime, as it is now unsupported software. (This does not apply to Mac OSX users, as this version is still being updated.) However, Apple has not issued a press release regarding the cancellation of Quicktime or the potential security risks involved in continuing its use.
Trend Micro has released advisories about these vulnerabilities in accordance with their Zero Day Initiative (ZDI) disclosure policy, which is applicable when a vendor has been made aware of a vulnerability, but does not proceed to issue a security patch for it. The ZDI first reports zero-day vulnerabilities to vendors, and then allows some time for the vendor to respond before releasing an advisory. The ZDI reported these vulnerabilities to Apple in November 2015, and Apple responded in March 2016 to advise that the product would be deprecated and that removal instructions would be published. However, as a security patch has not been released, the appropriate ZDI advisories have been released to as to indicate the obsolescence and potential security risks of the product.
To the best of the knowledge of professionals in the industry, the zero day vulnerabilities that have been exposed have not yet been used for cyber-attacks. However, since Apple will not be patching Quicktime to safeguard against these or future vulnerabilities, there is a potential security risk involved in keeping Quicktime installed on a Windows computer. It has been recommended following Apple’s advice on the matter in order to ensure that their computer remains secure.
The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has issued a release which details potential impacts of continuing to run Quicktime for Windows. US-CERT states that “computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.”
There has been releases of both advisories on the Zero Day Initiative website (see ZDI-16241 and ZDI-16-242). These advisories provide more specific technical information regarding the details of the vulnerabilities, and the vendor response.
Apple Support provides information on their website about how to uninstall Quicktime for Windows.