NOTICE: Uninstall QuickTime for Windows; it is unsupported
Monday, April 18, 2016
This message is intended for U-M IT staff who are responsible for university computers that have QuickTime for Windows installed. It is also intended for people who manage their own Windows computer with QuickTime for Windows installed. It was sent to the IT Security Community, Frontline Notify, and Windows Administrators groups via email on April 18, 2016.
Summary
Apple has ended support for QuickTime for Windows and will no longer provide security updates for it. Two vulnerabilities in QuickTime for Windows were announced last week, and patches will not be released to address them. Anyone who has QuickTime for Windows installed is urged to uninstall it. Most recent media-related programs for Windows no longer use QuickTime to play modern media formats.
Problem
QuickTime for Windows has reached the end of its lifecycle, and Apple will no longer provide security updates for it. It is unsafe to run outdated, unsupported software on your devices.
Threats
Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems. Two vulnerabilities for QuickTime for Windows have already been identified, and patches will not be released to address them.
Affected Versions
All versions of QuickTime for Windows are now unsupported by Apple and should be uninstalled. Note that QuickTime on Mac OSX is not affected by this.
Action Items
Uninstall QuickTime for Windows. For instructions, see Uninstall QuickTime 7 for Windows (Apple).
Technical Details
The identified vulnerabilities allow remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime for Windows. User interaction is required to exploit the vulnerabilities in that the target must visit a malicious page or open a malicious file. The specific flaws exist within the moov atom and within atom processing. By specifying an invalid value for a field within the moov atom or an invalid index, an attacker can write data outside of an allocated heap buffer. An attacker could leverage this to execute arbitrary code under the context of the QuickTime player.
Information for Users
If you have QuickTime on your own Windows computer that is not managed by the university, you should uninstall it. It will be removed from any MiWorkspace machines that have it as soon as possible.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact [email protected].
References
- Urgent Call to Action: Uninstall QuickTime for Windows Today (Trend Micro, 4/14/16)
- (0Day) Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerability (Zero Day Initiative, 4/14/16)
- (0Day) Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability (Zero Day Initiative, 4/14/16)
- Uninstall QuickTime 7 for Windows (Apple)
- Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced (US-CERT, 4/14/16)
- US-CERT to Windows Users: Dump Apple Quicktime (Krebs on Security, 4/18/16)
- Apple stops patching QuickTime for Windows despite 2 active vulnerabilities (Ars Technica, 4/14/16)