Remove QuickTime from Windows Immediately To Avoid New Security Threats
Administrators and users should uninstall QuickTime from all Windows-based systems following the discovery of two vulnerabilities in the software that Apple has stopped supporting.
The Department of Homeland Security's U.S. Computer Emergency Readiness Team (US-CERT) issued an alert last week advising all users to remove QuickTime from their Windows-based systems now that Apple is no longer issuing security patches for it. The alert came on the heels of an advisory from security vendor Trend Micro, which issued an urgent warning regarding two vulnerabilities in QuickTime for Windows. Mac users are not affected.
Though QuickTime for Windows isn't as widely used these days as it once was, there's a good chance the vulnerabilities could impact more users than those at risk of last week's BadLock threat, particularly those with older PCs. In many cases, IT organizations may have already removed Quicktime.
Trend Micro's Zero Day Initiative for QuickTime for Windows is one of a few such urgent warnings from the company, joining Windows XP and Oracle Java 6 "as software that is no longer being updated to fix vulnerabilities and subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it," explained Christopher Budd, the company's global threat communications manager, in a blog post warning of the potential exploits.
"Both are heap corruption remote code execution vulnerabilities," Budd explained. "One vulnerability occurs when an attacker can write data outside of an allocated heap buffer. The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer. Both vulnerabilities would require a user to visit a malicious Web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context of the QuickTime player, which in most cases would be that of the logged on user."
No known active attacks have resulted from these vulnerabilities but the only way to protect Windows systems from potential attacks or other Apple QuickTime vulnerabilities is to uninstall it right away, he added, noting both vulnerabilities have a CVSS 2.0 score of 6.8 (on a scale ranging from 1-10). Apple has published instructions on removing QuickTime for Windows. However, if you've ever uninstalled software, and presumably you have, it's no different than removing any other application from Windows, and takes no more than a minute. Did you remove yours yet?
Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.