Users Urged to Uninstall QuickTime for Windows

Users Urged to Uninstall QuickTime for Windows

Security experts are urging QuickTime for Windows owners to uninstall the multimedia software after Apple quietly announced that it will no longer be issuing security updates.

Trend Micro global threat communications manager, Christopher Budd, explained in a blog post that Apple’s decision came as his firm found two critical new zero day vulnerabilities affecting the software.

ZDI-16-241 and ZDI-16-242 are heap corruption remote code execution vulnerabilities which have a CVSS 2.0 score of 6.8.

“One vulnerability occurs an attacker can write data outside of an allocated heap buffer. The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer,” he added.

“Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them, and both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user.”

Although there are no reports of the bugs being actively exploited in the wild, the only way for users to be sure that they’re protected from these and any other flaws in QuickTime for Windows is to uninstall the software completely, Budd advised.

“QuickTime for Windows now joins Microsoft Windows XP and Oracle Java 6 as software that is no longer being updated to fix vulnerabilities and subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it,” he argued.

Apple has remained pretty tight-lipped on the matter, but its advice on how to uninstall QuickTime for Windows can be found here.

The tech giant last updated the software back in January, with version 7.7.9.

It remains to be seen why it has been slow to publicize its decision to withdraw support for the Windows version of the product. By failing to inform customers it could be exposing them to serious risks, once the black hats get wind that any new flaws won’t be patched.

Source: Information Security Magazine