Story image

QuickTime for Windows could be an accident waiting to happen

18 Apr 2016

Trend Micro has discovered two new, critical vulnerabilities affecting QuickTime for Windows, which Apple will no longer be supporting.

These are remote code execution vulnerabilities that could allow an attacker to gain control of the victim’s system, the company says. In an enterprise setting, this could mean opening the door for hackers to access larger, company-wide networks, according to Trend Micro.

Christopher Budd, global threat communications manager at Trend Micro, says there are no active attacks currently exploiting these vulnerabilities, however, they will never be patched and therefore users should uninstall the software.

“QuickTime for Windows now joins Microsoft Windows XP and Oracle Java 6 as software that is no longer being updated to fix vulnerabilities and is therefore subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it,” says Budd.

“Ultimately the right answer is to follow Apple’s guidance and uninstall QuickTime for Windows,” he says.

Budd says Apple is deprecating QuickTime for Microsoft Windows, which means they will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. This does not apply to QuickTime on Mac OSX, he says.

Trend Micro TippingPoint customers have been protected against the two vulnerabilities since November 24, 2015 with filters 21918(ZDI-CAN-3401) and 21919(ZDI-CAN-3402). However, even with protections, users should follow Apple’s guidance and uninstall the service, as this is the only sure way to be protected against all current and future vulnerabilities in the product now that Apple is no longer providing security updates for it, Budd says.

“For those that want more technical details here are the important points: both of these are heap corruption remote code execution vulnerabilities. One vulnerability occurs an attacker can write data outside of an allocated heap buffer. The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer.

“Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user,” Budd says.

Trend Micro released its two advisories on QuickTime in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability, and because Apple is no longer providing security updates for QuickTime on Windows these vulnerabilities are never going to be patched, Trend Micro says.

For additional information, see this advisory from US-CERT:

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.