Alerts and Advisories

Advisory: Apple QuickTime for Windows

Created:  22 Apr 2016
Updated:  22 Apr 2016

Originally published by CERT-UK (now a part of the National Cyber Security Centre)

Summary

QuickTime for Microsoft Windows is no longer supported by Apple and the current advice is to remove it from all Windows OS Devices devices.

The removal instructions can be found here https://support.apple.com/HT205771

QuickTime for Mac OSX is unaffected, can be considered to still be supported, and subject to security patches as required.


Further details

Two vulnerabilities have been found and published by the TippingPoint Zero Day Initiative (ZDI) and, as per their rules, Apple have been given a certain amount of time to fix the problems. However, Apple have previously indicated that they do not intend to provide patches for QuickTime any longer on the Windows operating system. As such the ZDI have made these issues public.

In response to the incidents raised to them, Apple have responded by providing the uninstallation instructions for QuickTime as a solution.

Both the issues raised by the ZDI are remote code execution vulnerabilities and, without security measures to prevent their exploitation, allow malicious websites (.mov or .qt files) to exploit weaknesses in the heap buffers and run code in the security context of the user currently logged in to the machine.

While no active threats have been detected yet, the confirmation that Apple no longer plan to patch QuickTime could encourage threat actors to take action quickly while organisations take time to remove the application on a large scale.

Was this information helpful?

We need your feedback to improve this content.

Yes No