Pierluigi Paganini
April 16, 2016
It is official, Apple will no longer provide security updates for the Windows version of the popular QuickTime.
It is important to uninstall the product that remains vulnerable to cyber attacks, recently experts discovered two remote code execution vulnerabilities that at this point will remain unfixed.
The announcement that QuickTime for Windows will be no longer supported was published by ZDI that obtained the news after Steven Seeley of Source Incite reported details of the two critical vulnerabilities.
The security vulnerabilities were reported to Apple on November 11, 2015, and the company communicated to ZDI on March 9 that it is deprecating QuickTime on Windows.
“First, Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.
Second, our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows.” reported Trend Micro in a blog post.
Both issues are heap corruption flaws that could be exploited by hackers for remote code execution. The attack scenario is simple and sees the victims accessing a maliciously crafted website or file.
“both of these are heap corruption remote code execution vulnerabilities. One vulnerability occurs an attacker can write data outside of an allocated heap buffer. The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer. Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user.” continues Trend Micro.
At this point you have no choice, you must uninstall Quicktime now!
“Uninstalling QuickTime 7 also removes the legacy QuickTime 7 web plug-in, if present. Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins. Removing legacy browser plug-ins enhances the security of your PC.” states Apple.
What is the impact on OX users?
Apple informed users that the QuickTime plugin has been disabled in OS X and web browsers in order to protect them from cyber attacks leveraging the security flaws.
The US-CERT has issued an advisory on the vulnerabilities explaining the risks associated with the flaws.
“Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows,” states the US-CERT advisory.
At the time I was writing, security experts confirmed that they are not aware of any active attacks against these vulnerabilities currently.
Don’t waste time, uninstall QuickTime for Windows today.
[adrotate banner=”9″]
(Security Affairs – QuickTime for Windows, hacking)
