The U.S. Department of Homeland Security on Thursday issued a warning to remove Apple’s QuickTime for Windows. The alert came in response to Trend Micro’s report of two security flaws in the software, which will never be patched because Apple has ended support for QuickTime for Windows.
Computers running QuickTime are open to increased risk of malicious attack or data loss, US-CERT warned, and remote attackers could take control of a victim’s computer system. US-CERT is part of DHS’ National Cybersecurity and Communications Integration Center.
“We alerted DHS because we felt the situation was broad enough that people having unpatched vulnerabilities on their system needed to be made aware,” said Christopher Budd, global threat communication manager at Trend Micro.
Apple has not discontinued security updates for QuickTime on Apple computer systems. It is not clear why Apple made the decision to end Windows support.
Apple has posted a link that instructs users how to remove QuickTime for Windows. The instructions advise those using a QuickTime 7 Pro registration key to save the key before uninstalling.
Zero Day Warning
Trend Micro’s Zero Day Initiative learned about the vulnerabilities from researcher Steven Seeley of Source Incite, who is named in the warning, Budd told TechNewsWorld. ZDI then issued advisories detailing the critical vulnerabilities:
- The Apple QuickTime moov Atom Heap Corruption Remote Code Execution vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of QuickTime. The problem first came to ZDI’s attention late last year. The number of users at risk is unknown at this time.
- The QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability allows an attacker to write data outside of an allocated heap buffer by providing an invalid index.
Software makers regularly retire applications, so it was not unusual that QuickTime would be vulnerable, Budd said.
However, it was odd that Apple did not issue a public statement about ending its support for QuickTime for Windows and that the software was still available for download, he added.
Increasing Software Vulnerability
QuickTime joins a growing list of software that is not supported any longer, Budd noted in a Trend Micro’s Thursday call to action. That list includes Microsoft Windows XP and Oracle Java 6, which means users of those operating systems increasingly will be vulnerable to attack.
DHS didn’t have any comment to add to its alert, said spokesperson Scott McConnell, who referred questions to Apple. Apple did not respond to our request to comment for this story.
The warnings come amid a spate of recent reports about computer system vulnerabilities, including one issued just days ago about a vulnerability in Adobe’s Flash Player that could leave computers open to ransomware, which can lock up entire systems until an attacker is paid to release control.