In short: This is an urgent call to action – please uninstall QuickTime for Windows as soon as possible, because there are two serious reasons: First, Apple is deprecating QuickTime for Microsoft Windows – no further security updates are provided. And second, there a two zero day vulnerabilities in QuickTime for Microsoft Windows publicly disclosed.
Apples QuickTime for Microsoft Windows is a video player, that has been shipped with Software like iTunes. Also some third party software is using QuickTime to import or play video files in .mov format. QuickTime for Windows support ended at Windows 7. Windows 8, Windows 8.1 and Windows 10 was unsupported.
Zero day vulnerability in QuickTime
A few days ago, Zero Day Initiative has disclosed publicly two vulnerabilities in Apple’s QuickTime. The vulnerabilities are causing Heap Corruption and provides a possibility for attackers for remote code execution. The vulnerabilities are documented here. US-CERT alerts users about Apple`s end of support for QuickTime for Windows and announces the vulnerabilities.
Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.
Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.
Also security firm Trend Micro has this article, mentions the vulnerabilities ZDI-16-241 and ZDI-16-242, and recommend to uninstall QuickTime for Windows as soon as possible. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page. Note that this does not apply to QuickTime on Mac OS X.
Side note: Today security firms are not aware of any active attacks against these vulnerabilities currently. But it’s only a question of time, until an attacker may use these vulnerabilities.