Apple has taken the decision to stop providing support for QuickTime 7 for Windows. The QuickTime support page has now been updated to alert users that security updates will no longer be issued, although an official announcement has not yet been made.
On its website, Apple suggested users should uninstall QuickTime for Windows as soon as possible. Trend Micro reiterated the urgent need for everyone to remove the application in order to prevent vulnerabilities from being exploited by malicious actors.
The urgent need to uninstall QuickTime for Windows was due to the discovery of two new critical vulnerabilities – ZDI-16-241 and ZDI-16-242 – by the Trend Micro Zero Day Initiative. While these two heap corruption remote code execution vulnerabilities are not known to be currently exploited, it will only be a matter of time before attacks take place.
The latest vulnerabilities allow malicious actors to write data outside of an allocated heap buffer, although in order for the vulnerability to be exploited, an individual would need to visit a website containing malicious code. Alternatively, the vulnerability could be exploited using malicious files sent via spam email.
Since Apple will not be issuing any further patches for QuickTime for Windows, the only way users can remain protected is to uninstall the software. The longer the program remains on a computer, the greater the risk of vulnerabilities being exploited.
Following the news from Trend Micro, US-CERT issued an alert (TA16-105A) warning that QuickTime for Windows is vulnerable to exploitation and that any individual running the unsupported software will be exposed to an elevated risk of cyberattack. According to the bulletin, those attacks could result in data loss or users taking control of affected systems. US-CERT similarly advises all users to uninstall QuickTime for Windows at the earliest opportunity.
While Apple has pulled support for the Windows version of QuickTime, support will continue to be provided for QuickTime on Mac OSX.