The Department of Homeland Security issued a warning to all PC owners on April 14th; Uninstall Quicktime immediately. There are known vulnerablilities in the software, and Apple has discontinued updates for it. This leaves your PC at risk to hackers. Forbes.com tells us more of the story:
This alert stems from a recent call to action from TrendMicro after the company’s Zero Day Initiative revealed two critical vulnerabilities: ZDI-16-241 and ZDI-16-242 that affect QuickTime for Windows.
“These two vulnerabilities are considered ‘remote code execution’ vulnerabilities, which means a miscreant could get the victim to click on a link or visit a website, and remotely hack into the computer without ever physically being in front of the computer,” warns Dodi Glenn, VP of cyber security at PC Pitstop. “While we have yet to see these vulnerabilities being used in the ‘wild’, our experience tells us that it won’t be long before they are bundled in the majority of exploit kits being sold on the underground marketplace.”
The US-CERT advisory states, “Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”
Sanjay Ramnath, Senior Director of Security Product Management for Barracuda, explains, “While Apple has every right to discontinue any of its products, it should be done so in a way to limit risk to its users. Unfortunately, given how widespread the use is, pulling the plug without pre-announcement and without fixing known problems causes significant risk.”
“Unfortunately, companies discontinue products all the time. Quicktime for Windows has been around since the early 90s and I think was the first piece of Windows software released by Apple. However, since its feature set has been eclipsed by other programs over the years it sort of makes sense to discontinue it,” states Cris Thomas, Strategist for Tenable Network Security. “In fact, for most users there is no need for Quicktime at all. It is no longer required by iTunes and web video is usually served by HTML 5 these days.”
The abrupt expiration of support for QuickTime means that Apple will no longer issue patches or security updates for known or reported vulnerabilities, including the two described in the TrendMicro Zero Day Initiative. The implication of this announcement is that Windows machines using QuickTime will be increasingly vulnerable to zero-day attacks.
To complicate things further, any application that relies on QuickTime will need to switch, and for most organizations, a switch like this will take time, impacting productivity and putting them at even greater risk. Adobe has already issued guidance explaining that uninstalling QuickTime could have an adverse effect on Adobe Creative Cloud customers.
There is some good news according to Tenable’s Thomas. “Since the current version of Quicktime for Windows 7.7.9 removed the browser plugin anyway, there is no way for an attack to automatically compromise a system with a simple drive-by exploit. The attacker would have to convince a victim to download a specially crafted file and then get them to open it in Quicktime.”
Ramnath stresses, “The best defense is often a great offense. Customers should ensure they have layered security to protect against these types of attacks—security solutions that block malicious attachments and links or use other advanced threat detection techniques.”
It’s one thing to discontinue support for a software product, however abruptly yanking support for a widely-used program without even addressing known critical security vulnerabilities is another matter entirely. Thomas has some harsh words for the fact that Apple not only isn’t supporting QuickTime, but still continues to offer the software for download from its website.
“Since Apple knows these products have critical vulnerabilities, they should be made unavailable for download. Leaving them in place is simply gross negligence,” proclaims Thomas.
PC Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page. If you believe your PC has already been infected, contact the Support Team at Great Lakes Computer to help get your computer virus and malware free.