It's time to uninstall QuickTime for Windows, security experts -- including Trend Micro and the Department of Homeland...
Security -- say, because Apple has abruptly pulled the plug on the program after two zero day vulnerabilities were found.
Apple issued its last patch for QuickTime for Windows in January, and it seems that will be the last patch the software ever receives. Trend Micro's Zero Day Initiative (ZDI) recently disclosed two new and critical zero-day vulnerabilities in the software, ZDI-16-241 and ZDI-16-242. Both vulnerabilities were described as potentially allowing "remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime" if the target were to visit a malicious webpage.
ZDI also noted in the post that Apple said it "will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it."
However, Apple has not officially announced an end of life (EOL) for QuickTime and the support page for the software still describes the process to uninstall QuickTime in terms of "If you no longer need QuickTime ..."
Although Apple has not released information on the subject, the Department of Homeland Security (DHS) US-CERT said that "the only mitigation available is to uninstall QuickTime for Windows."
The DHS noted in its advisory that "using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets."
Wolfgang Kandek, CTO at Qualys, noted that "while companies should not necessarily be forced to issue security patches for products that are not supported anymore, they should communicate clearly the planned EOL of products and inform customers about alternatives."
Brandon LeBlanc, senior program manager for the Windows Insider Program Team at Microsoft, tweeted:
And security reporter Brian Krebs said plainly, "... if you have Quicktime on a Windows box -- do yourself a favor and get rid of it."
Learn how to create an end-of-life policy for mobile devices.
Learn how bug bounty programs narrow the crowd.