My next class:

Uninstall QuickTime For Windows Today

Published: 2016-04-15. Last Updated: 2016-04-15 17:42:53 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

Tippingpoint's Zero Day Initiative made two vulnerabilities for Quicktime in Windows public yesterday [1][2]. The two vulnerabilities do allow remote code execution, but there is a bit of user interaction required in that the user has to visit a web page with a malicious file to get exposed to the exploit. The CVSS score for both vulnerabilities is 6.8.

Usually, I would point to a patch at this point. But Apple responded to TippingPoint stating that Quicktime For Windows is no longer a supported product, and no updates will be released to fix these two vulnerabilities.

Apple published a page with details about how to uninstall Quicktime [3]. But I can't find any other official announcement from Apple about the state of Quicktime, other then the TippingPoint vulnerability release. As part of the uninstall instructions, Apple recommends searching for "Uninstall QuickTime." Please make sure to only search locally, do not use a Bing/Google/... search as it may lead to suspect software. A quick check I just did doesn't show anything terribly suspect; there are at least a couple spammy links in Bing.

 

 

[1] http://zerodayinitiative.com/advisories/ZDI-16-241/
[2] http://zerodayinitiative.com/advisories/ZDI-16-242/
[3]https://support.apple.com/HT205771

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
3 comment(s)
My next class:

Comments

Messaging on this has been horrible, but that's to be expected if the provider refuses to take ownership. Here's another reference
https://www.us-cert.gov/ncas/alerts/TA16-105A
Oh, it gets better: Apple Software Update is still suggesting installing QuickTime for Windows, at least as of this afternoon. It's not automatically selected or installed, but users that have any other Apple product (such as iTunes or iCloud for Windows) are periodically told "new software is available from Apple," including the vulnerable QuickTime 7.7.9. Here's a screen cap: http://www.securityforrealpeople.com/2016/04/got-quicktime-take-moment-to-unget-it.html
Removed Quicktime from 3 systems to be prepared, clicked Apple Update and was told I need to download Apples Quicktime 7 Abandonware. Somebody can't find the seat of their pants with both hands and a flashlight.

Diary Archives