Running QuickTime for Windows on your PC? You should uninstall it. NOW.

Quick, it’s time to uninstall QuickTime, Windows users told.

Running QuickTime for Windows on your PC? You should uninstall it. NOW.

If you are running QuickTime for Windows on your personal computer, you should uninstall it as soon as possible.

QuickTime is a multimedia solution designed by Apple. It allows a computer to handle video, audio, and interactive content on its computers. The software was originally released on Mac computers back in 1991, and eventually showed up on Windows machines at a later date.

Fast-forward to last year. In November of 2015, researchers at the Zero-Day Initiative (ZDI) discovered two remote code execution vulnerabilities in Windows installations of QuickTime.

One of the bugs exists in the moov atom, while the other flaw rests within atom processing.

The two vulnerabilities are strikingly similar. By specifying an invalid value or index within the vulnerability sites, an attacker can write data outside of the allocated heap buffer and execute arbitrary code under the context of the QuickTime player.

Additionally, in both cases, a user can be hit by visiting a malicious webpage or running a malicious file.

These security issues are quite serious. They both received a 6.8 CVSS 2.0 score. But they're nothing that Apple couldn't fix with a simple update to QuickTime.

Only therein lies the problem.

The two vulnerabilities were disclosed publicly on Thursday without a patch because the Windows version of QuickTime is deprecated, i.e. it will no longer receive security updates.

Those running Windows QuickTime should refer to Apple's guide, which provides instructions on how they can remove the unsupported software from their computers:

"Uninstalling QuickTime 7 also removes the legacy QuickTime 7 web plug-in, if present. Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins. Removing legacy browser plug-ins enhances the security of your PC."

At this time, Apple has not officially announced the end of Windows QuickTime.

Security researchers have yet to observe attacks that are exploiting those vulnerabilities, but we can reason that it is only a matter of time.

An alert issued by the US Homeland Security's Computer Emergency Readiness Team (CERT) agrees that the threat is serious:

"Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows."

Those running QuickTime on their Windows machines should click on the "Start" icon, go to "Control Panel" > "Programs" > "Programs and Features," select "QuickTime Player," and hit "Uninstall."

At this time, those running QuickTime on Apple devices are not affected by the two zero-day vulnerabilities discovered last fall. Unless we're told otherwise, Apple will also continue to update the software on its own computers.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

5 Responses

  1. Alex

    April 18, 2016 at 3:10 pm #

    yep they'll exploit it now that you've let them know they can and what to target….dumb ass,

  2. MPA

    April 18, 2016 at 3:17 pm #

    Hmmm now why should Homeland Security care what happens on my computer? Sounds like the application must impede Law Enforcement somehow.

  3. Melvin

    April 18, 2016 at 3:22 pm #

    FYI, your CERT link is just pointing to google news; you may want https://www.us-cert.gov/ncas/alerts/TA16-105A instead.

  4. Zoey Barkow

    April 18, 2016 at 6:04 pm #

    hey alex, and mpa,

    you seem all smart, so go ahead and don't remove it. then let us know how that's working out for you in about a month.

    alex, it's never been about news orgs informing the public about vulnerabilities that allows criminals to know and attack them. you should really consider not using computers ever again, now go back to your legos and your safe space.

    mpa, you need to re up on the tin foil hats, they seem to be loosing their potency

  5. timbald

    April 19, 2016 at 8:39 am #

    Quicktime has traditionally been a requirement on Windows for any users of Adobe Premiere Pro. Adobe released this statement in April 2016 about this Quicktime news, for any concerned users of Premiere Pro CC who might otherwise cripple their working edit suites if they remove Quicktime in a rush:
    http://blogs.adobe.com/creativecloud/quicktime-on-windows/

Leave a Reply