Users of QuickTime for Windows have been warned to uninstall the product after Apple deprecated support for the product despite two active security vulnerabilities.
PC owners have been advised by the Department of Homeland Security to remove the product. “According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation,” said the advisory.
Trend Micro discovered two bugs in the software that could allow hackers to compromise a user's system. These remote code execution bugs could allow hackers to plant malware on systems simply by tricking a victim into opening a web link or malicious file.
“Our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are being released in accordance with the Zero Day Initiative's Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability,” said Christopher Budd of Trend Micro's Global Threat Communications team.
“And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.”
While no active attacks have been discovered for the flaws, the firm said the only way to protect Windows systems was to remove OuickTime.
“QuickTime for Windows now joins Microsoft Windows XP and Oracle Java 6 as software that is no longer being updated to fix vulnerabilities and subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it,” said Budd.
Fraser Kyne, regional SE director at Bromium, told SCMagazineUK.com that more apps means more code, which in turn means more vulnerabilities.
“Reducing the attack surface is always a good idea. Thankfully, Quicktime for Windows is unlikely to be considered a mission-critical application, so removing it should not concern people,” he said.
“This begs a question though: why was it installed in the first place? It also reveals a more challenging question about supporting business applications that are out of date. Many organisations can't update applications as the updates may be incompatible with their line of business apps.”
Matt Middleton-Leal, regional director UK and Ireland for CyberArk, told SC that unsupported software abounds in enterprise organisations.
“This is a reality that security teams will not be able to eradicate, so it then becomes a question of how to mitigate damage. Recognising that flaws in defences or software vulnerabilities will mean that determined attackers will penetrate into the network to an extent, smart organisations are looking to put in place tech that prevents attack escalation before irreparable business harm is done,” he said.
Donato Capitella, senior security consultant at MWR InfoSecurity, told SC that to mitigate these risks, organisations should make sure they have a full inventory of the software used across their estate and keep track of when this software is reaching its end-of-life.
“This allows companies to then prepare and implement a plan to migrate to either newer or alternative software before end-of-life is actually reached,” he said.
Capitella added that it is important that defence-in-depth measures and compensating controls are implemented to mitigate the risk.
“Depending on the type of software, different solutions can be applied. For example, legacy software and systems could be segregated to an isolated network (better if behind a two-factor authentication VPN) to which only a handful of authorised users have got access to. Access to this legacy software could be actively monitored by a SOC team (Security Operation Centre) to detect if any exploitation or suspicious activity is taking place.”
Information on how to uninstall Apple QuickTime for Windows from the Apple website can be found here. The Mac version continues to be updated and support as usual.