The Department of Homeland Security and Trend Micro recently issued security advisories recommending users uninstall...
QuickTime for Windows after Apple abruptly pulled support for the software amid the discovery of two zero-day vulnerabilities. Apple later announced that QuickTime for Windows had been moved to end of life. Why didn't Apple patch the vulnerabilities, or at least communicate its plans to end QuickTime support ahead of time? Is this a common practice for major vendors like Apple?
It wasn't too much of a surprise when Apple announced the end of life for QuickTime for Windows, but it could have been handled better to give users more time to respond to the move. QuickTime, a multimedia solution mainly used to play video and audio, was first released for Mac OS in 1991 with a version for Windows made available later. After Microsoft added support for key media formats, like H.264 and AAC, to Windows in 2009, users had less need to use QuickTime to play modern media formats. QuickTime's popularity continued to wane as web browsers moved to support video without the need for browser plug-ins and websites moved to the HTML5 web standard for video playback.
The first signs of QuickTime's demise came in 2011, when OS X Lion moved to the AV Foundation graphics framework, and in 2013, when Apple deprecated all developer APIs for QuickTime on Windows.
The end came out of the blue, however. In April 2016, Trend Micro announced that Apple had ceased all security patching of QuickTime for Windows. It reached this conclusion after its TippingPoint threat defense unit released two zero-day advisories, ZDI-16-241 and ZDI-16-242, which can be used to remotely compromise Windows computers. The advisories were issued in accordance with the Zero Day Initiative's Disclosure Policy for when a vendor does not provide a security patch for a disclosed vulnerability. On that same day, US-CERT issued alert TA16-105A, advising users to uninstall QuickTime for Windows as the only sure way to protect against current and future vulnerabilities in the product. Apple announced a week later that it would no longer support QuickTime 7 for Windows.
Even though Apple may have known its appetite for supporting QuickTime for Windows was waning, it's still no excuse for not forewarning users of such an important decision. Once vendor support for a product stops, the prudent response is to stop using it, uninstall it and find an alternative. For many organizations, there is no option other than to uninstall it, as running unsupported software is an unnecessary risk as the software will forever be vulnerable to exploitation henceforth, and is often prohibited under compliance standards.
Apple doesn't have a published policy and doesn't publish official dates for retiring products. Based on past practices, security updates are released for the current version of OS X and the two previous ones, giving three years support from first release to end of life -- a new version of OS X is released each year. The status of support for individual products can be less obvious, as shown by the sudden end of life for QuickTime for Windows -- it's understood QuickTime for Mac will continue to receive updates.
Enterprises need a reasonable amount of time to be able to plan migrating from one major software version to another; for example, Microsoft estimates that a full server migration from Windows 2003 to Windows Server 2012 R2 can take up to 200 days. To give administrators time to prepare for upgrades, software vendors should provide advance warnings, roadmaps or end of life guidelines for their products, and some do. Microsoft has a lifecycle support policy providing detailed guidelines for support availability throughout each product's life, as does Adobe. Oracle provides roadmaps for its main products, such as the Java SE Support Roadmap. This type of information makes planning for upgrades and product migration a lot less prone to sudden shocks. However, the industry needs to do more to warn users about the dangers of running unsupported software and encourage people to upgrade from legacy software. Despite repeated warnings about the approaching end of life for Windows XP, many users and businesses are still running it.
Apple's instructions for uninstalling QuickTime can be found here. Uninstalling QuickTime also removes the legacy QuickTime web plug-in, which users should no longer need.
Find out more about the FBI's undisclosed zero-day exploits
Learn how to create an enterprise end-of-life policy for mobile devices
Read about planning for end of life for IoT products
Dig Deeper on Microsoft Windows security
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.