Vladislav Kochelaevs - Fotolia
Apple won't patch zero days so uninstall QuickTime now
DHS says users need to uninstall QuickTime for Windows immediately as Apple quietly sends the software to its end of life following the disclosure of two zero-day flaws.
It's time to uninstall QuickTime for Windows, security experts -- including Trend Micro and the Department of Homeland Security -- say, because Apple has abruptly pulled the plug on the program after two zero day vulnerabilities were found.
Apple issued its last patch for QuickTime for Windows in January, and it seems that will be the last patch the software ever receives. Trend Micro's Zero Day Initiative (ZDI) recently disclosed two new and critical zero-day vulnerabilities in the software, ZDI-16-241 and ZDI-16-242. Both vulnerabilities were described as potentially allowing "remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime" if the target were to visit a malicious webpage.
ZDI also noted in the post that Apple said it "will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it."
However, Apple has not officially announced an end of life (EOL) for QuickTime and the support page for the software still describes the process to uninstall QuickTime in terms of "If you no longer need QuickTime ..."
Although Apple has not released information on the subject, the Department of Homeland Security (DHS) US-CERT said that "the only mitigation available is to uninstall QuickTime for Windows."
The DHS noted in its advisory that "using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets."
Wolfgang Kandek, CTO at Qualys, noted that "while companies should not necessarily be forced to issue security patches for products that are not supported anymore, they should communicate clearly the planned EOL of products and inform customers about alternatives."
Brandon LeBlanc, senior program manager for the Windows Insider Program Team at Microsoft, tweeted:
Apple should do the right thing here for its customers and patch these security issues in QuickTime. #Lame https://t.co/sQW83CZLMp
— Brandon LeBlanc (@brandonleblanc) April 15, 2016
And security reporter Brian Krebs said plainly, "... if you have Quicktime on a Windows box -- do yourself a favor and get rid of it."
