Recently, Trend Micro warned of two serious remote code execution vulnerabilities in Apple’s QuickTime for Windows. This was quickly picked up by the U.S. Computer Emergency Readiness Team (US-CERT), which issued its own alert concluding that the only safe course of action is to uninstall.

Apple has been phasing out development and support for QuickTime for Windows since version 7, released almost a decade ago. Although exploits for these vulnerabilities have yet to be seen in the wild, it’s time to get QuickTime off all Windows machines.

There are few remaining dependencies on the product; some Adobe integrations still have dependencies on older codecs that rely on QuickTime, but Adobe is working on a solution.

How to Address Risks

So what about the impact on enterprises where this — and a whole host of other unpatched vulnerabilities — may still be installed?

I asked Dr. Dale Meyerrose, retired major general in the U.S. Air Force and former Associate Director of National Intelligence, about the issue. Now an independent consultant, he had much to say about effective remediation techniques.

“I’m continuously asked by CXOs where they can get the biggest bang for their buck, their biggest immediate reduction in risk, and for me the answer is almost always the same: basic blocking and tackling, [and] well-implemented continuous internal controls, especially those focused on the vulnerable endpoint,” he said.

“Basic housekeeping, though perhaps not the most exciting of topics, is by far one of the largest problems that we really struggle to manage well.”

Finding Fixes for QuickTime for Windows

Unfortunately, home users are pretty much on their own to make and implement these decisions. But for the enterprise, this is where certain mechanisms and products such as IBM BigFix can excel, especially with a vibrant and active community of users that create, share and validate fixlets to automate remediation.

One such fixlet has already been created by an IBM BigFix user and is available for all to use:

More from Software Vulnerabilities

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…