Vladislav Kochelaevs - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Apple won't patch zero days so uninstall QuickTime now

DHS says users need to uninstall QuickTime for Windows immediately as Apple quietly sends the software to its end of life following the disclosure of two zero-day flaws.

Michael Heller
By
Published: 19 Apr 2016

It's time to uninstall QuickTime for Windows, security experts -- including Trend Micro and the Department of Homeland Security -- say, because Apple has abruptly pulled the plug on the program after two zero day vulnerabilities were found.

Apple issued its last patch for QuickTime for Windows in January, and it seems that will be the last patch the software ever receives. Trend Micro's Zero Day Initiative (ZDI) recently disclosed two new and critical zero-day vulnerabilities in the software, ZDI-16-241 and ZDI-16-242. Both vulnerabilities were described as potentially allowing "remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime" if the target were to visit a malicious webpage.

ZDI also noted in the post that Apple said it "will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it."

However, Apple has not officially announced an end of life (EOL) for QuickTime and the support page for the software still describes the process to uninstall QuickTime in terms of "If you no longer need QuickTime ..."

Although Apple has not released information on the subject, the Department of Homeland Security (DHS) US-CERT said that "the only mitigation available is to uninstall QuickTime for Windows."

The DHS noted in its advisory that "using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets."

Wolfgang Kandek, CTO at Qualys, noted that "while companies should not necessarily be forced to issue security patches for products that are not supported anymore, they should communicate clearly the planned EOL of products and inform customers about alternatives."

Brandon LeBlanc, senior program manager for the Windows Insider Program Team at Microsoft, tweeted:

And security reporter Brian Krebs said plainly, "... if you have Quicktime on a Windows box -- do yourself a favor and get rid of it."

Next Steps

Learn why HTML5 could mean Adobe Flash is at its end of life.

Learn how to create an end-of-life policy for mobile devices.

Learn how bug bounty programs narrow the crowd.

Dig Deeper on Emerging cyberattacks and threats

Join the conversation

7 comments

Send me notifications when other members comment.

Register

Please create a username to comment.

What do you think about how Apple has handled the zero days and announcement to uninstall QuickTime?
Cancel
The entire issue of legacy software is becoming more complex and it is not just the software producer that bears the burden. Users often get very attached to a program and refuse to upgrade or change. I guess in an ideal world, programs and apps would be written so that they could be triggered to self uninstall. Relying on users to uninstall programs is not reliable at all as many users do not even take the time to clean up old files. The security risks of old apps are going to plague the industry for years to come as new risks develop and more vulnerabilities are exposed. One only has to look at the number is users still running XP to get an understanding of the problem.
Cancel
Nice to give us a heads up. It forces us to take notice and action. If we don't then we have nobody to blame but ourselves. I think the same needs to be done with Flash and force developers to use HTML5, 
Cancel
Many professionals I’ve worked with have been calling for uninstalling QuickTime for quite a few years now, likening it to adware or, even worse, malware. I’m sure there will be much rejoicing over this.
Cancel
Y'all should have been using VLC media player all along. Quicktime is not necessary for any windows device. As far as what Apple should do, they have done it by not spending good money after bad.
Cancel
Problem here lies in the fact that if you are a long time Quicktime user in the iTunes Store, you probably still have music that is still in their proprietary format w/ security!

So uninstall it and then what can you do to do bulk conversion of those music and video files? So you have them backed up in iCloud, they'll only play in iTunes. Now what I want to know, is since the Quicktime Player is how I am able to play those 100+ GB of Music and Videos, is iTunes need to be removed too?

Remember the whole reason Apple made Quicktime for Windows or iTunes was to lock you into their Closed Ecosystem! ......so is Apple abandoning those same people who won't buy a Mac and this is the punishment for that??? Apple is a Rotten Evil Company, that only exists to make more money for shareholders, while never innovating or spending money on keeping customers on the cutting edge of technology. Quicktime ain't going away from Apple product users..... only Windows users who refuse to migrate to Apple Products. That should be against the law without the tools to convert our whole library over to other formats easily.

While I can play these music files in iTunes now (older itunes purchases), does this mean iTunes for Windows (which still uses Quicktime) is going away too?
Cancel
Done deal.. I have not used it for a few years but kept it on my system until now.. Not worth the risk when VLC suits my needs.
Cancel

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close