April 15, 2016 By Larry Loeb 2 min read

Trend Micro issued a warning for all Windows users of QuickTime urging them to uninstall the Apple software. Along with this warning, it described two zero-day vulnerabilities in the software that will go unpatched.

A third party announcing what Apple’s intentions are for a major hunk of the company’s software is highly unusual. As of this writing, there has been no official word from Apple concerning this. But a clue can be gleaned from the instructions for uninstalling QuickTime for Windows.

“Most recent media-related programs for Windows — including iTunes 10.5 or later — no longer use QuickTime to play modern media formats,” Apple wrote. “These programs either play the media directly or use the media support built into Windows.” It seems that Apple feels QuickTime is no longer needed, and as a result, it won’t continue to support or update the application.

Zero-Day Vulnerabilities in QuickTime for Windows

But there’s more: Trend Micro also announced newly discovered zero-day vulnerabilities in the media player. Zero-Day Initiative detailed the two issues, ZDI-16-241 and ZDI-16-242, affecting QuickTime for Windows, and Trend Micro claimed that its own products have been protecting against these exploits since November 2015.

So why go public now? “These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability,” the security firm stated on its blog. “And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.”

Trend Micro said it is “not aware of any active attacks against these vulnerabilities currently.” Still, it clarified that the only way to ensure security is to uninstall the program before cybercriminals find a way to exploit the permanent vulnerabilities.

QuickTime for Windows follows other software such as Microsoft Windows XP and Oracle Java 6, which are no longer being updated to fix vulnerabilities. That makes them subject to ever-increasing risk as more and more unpatched vulnerabilities are found and cybercriminals attempt to exploit them.

CERT Weighs In

The U.S. Computer Emergency Readiness Team (US-CERT) amplified the warning about the vulnerability in its own alert. The organization said the impact is potentially damaging to users and their organizations.

“Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss,” US-CERT said. “Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.”

The only thing that users can responsibly do is uninstall QuickTime for Windows — immediately.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today