Trend Micro warned last week that Apple’s QuickTime for Windows had critical bugs and that Apple would no longer be providing security updates as the product lifecycle had expired. These bugs do not affect OS X users.
"We're not aware of any active attacks against these vulnerabilities currently," Christopher Budd from Trend Micro wrote in the blog post. "But the only way to protect your Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it."
So why did the US Department of Homeland Security get involved?
It states, “Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”
A great many government computers have QuickTime running to support iPhones and iTunes. Without making a definite ‘must remove’ statement government computers would be at risk.
Trend Micro agrees that this is an urgent, ‘uninstall today’, call to action. Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are have been released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability. And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.
Users are advised not to use QuickTime Lite or any player based on QuickTime code.