If you are running QuickTime for Windows on your personal computer, you should uninstall it as soon as possible.
QuickTime is a multimedia solution designed by Apple. It allows a computer to handle video, audio, and interactive content on its computers. The software was originally released on Mac computers back in 1991, and eventually showed up on Windows machines at a later date.
Fast-forward to last year. In November of 2015, researchers at the Zero-Day Initiative (ZDI) discovered two remote code execution vulnerabilities in Windows installations of QuickTime.
The two vulnerabilities are strikingly similar. By specifying an invalid value or index within the vulnerability sites, an attacker can write data outside of the allocated heap buffer and execute arbitrary code under the context of the QuickTime player.
Additionally, in both cases, a user can be hit by visiting a malicious webpage or running a malicious file.
These security issues are quite serious. They both received a 6.8 CVSS 2.0 score. But they’re nothing that Apple couldn’t fix with a simple update to QuickTime.
Only therein lies the problem.
The two vulnerabilities were disclosed publicly on Thursday without a patch because the Windows version of QuickTime is deprecated, i.e. it will no longer receive security updates.
Those running Windows QuickTime should refer to Apple’s guide, which provides instructions on how they can remove the unsupported software from their computers:
“Uninstalling QuickTime 7 also removes the legacy QuickTime 7 web plug-in, if present. Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins. Removing legacy browser plug-ins enhances the security of your PC.”
At this time, Apple has not officially announced the end of Windows QuickTime.
Security researchers have yet to observe attacks that are exploiting those vulnerabilities, but we can reason that it is only a matter of time.
An alert issued by the US Homeland Security’s Computer Emergency Readiness Team (CERT) agrees that the threat is serious:
“Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”
Those running QuickTime on their Windows machines should click on the “Start” icon, go to “Control Panel” > “Programs” > “Programs and Features,” select “QuickTime Player,” and hit “Uninstall.”
At this time, those running QuickTime on Apple devices are not affected by the two zero-day vulnerabilities discovered last fall. Unless we’re told otherwise, Apple will also continue to update the software on its own computers.