Thursday, April 14, 2016

Got QuickTime? Take a moment to "unget" it


Correction: the original post referred to ZDI as a division of HP; Trend Micro bought ZDI from HP in October 2015. At this point, the discontinuation of Apple's QuickTime for Windows product is a statement from Trend Micro and not publicly confirmed by Apple. Regardless, QuickTime has publicly-disclosed flaws that can be exploited to take control of your PC, and has not fixes available.

Apple just discontinued and published removal instructions for QuickTime for Windows, a once-popular video player and web browser plugin. Software that lingers on past a vendor dropping support for it can quickly become a gateway for malicious hackers to enter your computer - Windows XP has been an infamous example since Microsoft dropped support for it in April 2014.

QuickTime is no exception: Trend Micro's Zero Day Initiative found a few new vulnerabilities that can be exploited to take control of your PC, and so recommends that you remove QuickTime right away. To be fair, the risk here is a bit less than it is with, say, Adobe's Flash Player or Microsoft's Silverlight. While those products can run in your browser automatically upon loading a webpage, the QuickTime plugin is an older format that most browsers no longer support. One would have to open a QuickTime movie outside a browser (perhaps from an email attachment) to be at risk.


But here's the kicker: Apple's own Software Update utility still offers to install it for you. Don't. I still recommend keeping Apple Software Update - let it keep any Apple software you do use up to date - but don't let it install QuickTime!



References:

  • ZDI-16-241: Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerability
  • ZDI-16-242: Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability
  • Apple HT205771: Uninstall QuickTime 7 for Windows
  • US-CERT TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
  • CSOonline: CERT advisory urges QuickTime removal due to vulnerabilities, Apple does too