Why is the department of homeland security urging Windows users to uninstall QuickTime?
Apple announced last November that it would quit issuing security updates for the popular video program as ported through Windows. The call for Windows users to uninstall it comes out of concerns that the lack of security updates will leave vulnerabilities open for hackers to exploit. Since no further security patches will be distributed, the only option is to remove the program.
ZDI published Apple’s first announcement that it would discontinue support to Windows versions of the software, and critical security vulnerabilities were reported soon after that on November 11, 2015.
An Apple spokesperson said, “First, Apple will be deprecating QuickTime for Windows, and will no longer issue updates for the Windows version. We recommend that users uninstall it. Keep in mind this does not apply to our QuickTime for Mac OSX. Also, our Zero-Day Initiative has released two warnings; ZDI-16-241 and DI-16-242 detailing two recent and critical security weaknesses in QuickTime for Windows.”
Both vulnerabilities represent a host of corruption flaws that could provide an easy point of entry for cyber attacks remotely executed. The type of attack most likely to exploit these weaknesses would come through a corruption file which latches onto a victim’s machine after visiting a malicious website.
The spokesperson went on to say, “These vulnerabilities are heap corruptions of the remote code execution type. One occurs when an attacker writes data outside an allocated buffer. The other occurs in the stco atom by providing a bad index allowing an attacker to write data from outside a sanctioned heap buffer. Both vulnerabilities will require users to visit malicious web pages or to open malicious files which will exploit the vulnerabilities. And both of these vulnerabilities will execute code inside the security context of the Windows QuickTime player.”
QuickTime will soon become unusable within Windows whether or not they are actually being attacked by cyber hackers. Those who attempt to find solutions for the problem on the Internet will invariably encounter malicious sites and software which will use the program’s frailties to attack the user’s machine.
There really isn’t much option. Users will have to uninstall the program or face the very high risk of losing their personal information to criminals or at least suffer critical damage to their systems.
But it’s not a total loss. There is one additional benefit to uninstalling QuickTime. Doing so will also remove the legacy QuickTime version 7 plug in. Because the legacy QuickTime plug-in predates HTML5 web security protocols, it actually represents another security flaw that can be remedied by removing it.
Apple reports that there will be no negative effects on Apple OS users. The company has disabled the plug-in for Apple browsers. But US-CERT has made a statement saying that they are not sure that Apple users are not exposed to risks from the two cited vulnerabilities.
Computers that are running the Apple software product still work after Apple withdraws its support. But using the unsupported software increases the risk of a successful attack. Such attacks may result in compromised personal information such as social security numbers or banking information or other important assets. The only way to avoid these risks is for Windows users to remove all versions of QuickTime from their computers as soon as possible.
At the time of this report, there are no known attacks designed to exploit these vulnerabilities. This means Windows users can escape attack unharmed if they uninstall now. But there is no doubt that attacks against these weaknesses are being written at this very moment, and the only way to guard against them is by removing QuickTime.