Citing security firm Trend Micro, the Department of Homeland Security has issued a timely alert to Windows users, reminding them that Apple has ended QuickTime support for Windows, leaving them vulnerable to new exploits.
Trend Micro called it an ‘urgent call to action’, highlighting the importance of the issue at hand. QuickTime is a popular video-rendering software that is the default media player on Apple computers.
For the longest time, QuickTime also found a place on Windows machine, with regular software updates to keep the program up to date. However, this development cycle has come to an end. With it, there are two critical vulnerabilities already being flagged by Trend Micro.
The two critical vulnerabilities specifically affect QuickTime users on Windows alone. Since Apple has ceased and put an end to its development cycle for the software, the security firm has put out the alert as a part of the Zero Day Initiative’s Disclosure Policy, with immediate effect.
The two advisories are ZDI-16-241 and ZDI-16-242. The two exploits use remote code execution. One of them sees an attacker gain the means to write data outside of an allocated heap buffer.
The other exploit occurs when an attacker can do the same by providing an invalid index in the stco atom. Both vulnerabilities require the targeted user to either open a malicious file or visit a malicious, compromised website for the exploit to work. Notably, both vulnerabilities execute code in the security context of the QuickTime player.
With Windows being the most widely used operating system around, the United States Computer Emergency Readiness Team (US-CERT) promptly issued an alert reminding users to uninstall QuickTime altogether.
Making a reference to the ‘impact’ of the vulnerability, US-CERT stated:
Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.
A list of potential negative consequences of running QuickTime on Windwos include:
- Loss of confidentiality, integrity or availability of data
- Damage to system resources or business assets
The “only mitigation” at hand here, the cyber-defense arm of the DHS reveals, is to uninstall QuickTime for Windows.
Image credit: Wikimedia.
