Thursday, April 14, 2016

Got QuickTime? Take a moment to "unget" it


Correction: the original post referred to ZDI as a division of HP; Trend Micro bought ZDI from HP in October 2015. At this point, the discontinuation of Apple's QuickTime for Windows product is a statement from Trend Micro and not publicly confirmed by Apple. Regardless, QuickTime has publicly-disclosed flaws that can be exploited to take control of your PC, and has not fixes available.

Apple just discontinued and published removal instructions for QuickTime for Windows, a once-popular video player and web browser plugin. Software that lingers on past a vendor dropping support for it can quickly become a gateway for malicious hackers to enter your computer - Windows XP has been an infamous example since Microsoft dropped support for it in April 2014.

QuickTime is no exception: Trend Micro's Zero Day Initiative found a few new vulnerabilities that can be exploited to take control of your PC, and so recommends that you remove QuickTime right away. To be fair, the risk here is a bit less than it is with, say, Adobe's Flash Player or Microsoft's Silverlight. While those products can run in your browser automatically upon loading a webpage, the QuickTime plugin is an older format that most browsers no longer support. One would have to open a QuickTime movie outside a browser (perhaps from an email attachment) to be at risk.


But here's the kicker: Apple's own Software Update utility still offers to install it for you. Don't. I still recommend keeping Apple Software Update - let it keep any Apple software you do use up to date - but don't let it install QuickTime!



References:

  • ZDI-16-241: Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerability
  • ZDI-16-242: Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability
  • Apple HT205771: Uninstall QuickTime 7 for Windows
  • US-CERT TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
  • CSOonline: CERT advisory urges QuickTime removal due to vulnerabilities, Apple does too

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.