Two new vulnerabilities in Apple’s QuickTime for Windows are so critical that the federal government is urging users to uninstall the software on their PCs immediately because the tech giant isn’t going to patch them. In fact, Apple has announced that it will no longer be supporting the multimedia player on the Windows platform at all, meaning the bugs may never be patched, according to security firm Trend Micro. The advisory does not apply to QuickTime for Mac’s OS X.
“These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability,” Trend Micro wrote in a blog post. “And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.”
Heap Corruption Remote Code Execution
Both bugs are heap corruption remote code execution vulnerabilities, according to the security company. One vulnerability allows an attacker to write data outside of an allocated heap buffer. The other occurs in the stco atom where an attacker can write data outside of an allocated heap buffer by providing an invalid index.
A user would have to visit a malicious Web page or open a malicious file to exploit either of the vulnerabilities. Each vulnerability would execute code in the security context of the QuickTime player, which in most cases would be that of the logged on user, according to Trend Micro.
The Zero Day Initiative said that it had warned Apple about the two vulnerabilities when they were first discovered in November, but had not received a response from the company for more than three months. Apple finally responded to a second contact from ZDI in March, at which point it said that QuickTime would be deprecated in Windows. ZDI then told Apple it would be issuing a zero-day alert for the vulnerabilities.
No Active Attacks Yet
The U.S. Computer Emergency Readiness team issued an alert advising all users to remove QuickTime from their Windows machines as soon as possible. “Computers running QuickTime for Windows will continue to work after support ends,” the government agency wrote in an advisory announcement. “However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets.”
Despite the potential seriousness of the two vulnerabilities that have been discovered, the security firm said that it is not aware of any active attacks exploiting them currently. Nevertheless, the only way for users to protect their Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it.
Apple’s decision to deprecate QuickTime for Windows means the multimedia player will now join Microsoft Windows XP, Oracle Java 6, and an increasingly long list of popular platforms that are no longer being updated by vendors to fix vulnerabilities.