Feds warns Windows PC users to uninstall Quicktime
- Login o registrati per inviare commenti
source :
The Department of Homeland Security and a top cybersecurity firm have advised Windows PC users to uninstall Apple's Quicktime video player immediately after two new bugs were found in the software.
In a blog post published Thursday, the Trend Micro security firm said that Apple was no longer issuing security updates for Quicktime for Windows, despite the presence of the bugs. Trend Micro said the bugs could be used to launch attacks on PCs if users visit a compromised web page or open a tained file.
Trend Micro said it was not aware of any cases where the bugs had been exploited by hackers. The warning does not apply to Quicktime on Mac operating systems.
DHS's United States Computer Emergency Readiness Team (US-CERT) put out a similar alert Thursday warning that Windows PC users were vulnerable to viruses and other threats due to the security flaws.
"The only mitigation available is to uninstall QuickTime for Windows," US-CERT's alert said.
There has been no public comment from Apple on the situation, though the company has posted instructions for uninstalling Quicktime for Windows on its website.
We’re putting the word out that everyone should follow Apple’s guidance and uninstall QuickTime for Windows as soon as possible.
This is for two reasons.
First, Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.
Second, our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability. And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.
We’re not aware of any active attacks against these vulnerabilities currently. But the only way to protect your Windows systems from potential attacks against these or other vulnerabilities in Apple QuickTime now is to uninstall it. In this regard, QuickTime for Windows now joins Microsoft Windows XP and Oracle Java 6 as software that is no longer being updated to fix vulnerabilities and subject to ever increasing risk as more and more unpatched vulnerabilities are found affecting it.
You can find information on how to uninstall Apple QuickTime for Windows from the Apple website here: https://support.apple.com/HT205771
Our TippingPoint customers have been protected against these two vulnerabilities since November 24, 2015 with filters 21918(ZDI-CAN-3401) and 21919(ZDI-CAN-3402).
However, even with protections, ultimately the right answer is to follow Apple’s guidance and uninstall QuickTime for Windows. That is the only sure way to be protected against all current and future vulnerabilities in the product now that Apple is no longer providing security updates for it.
For those that want more technical details here are the important points: both of these are heap corruption remote code execution vulnerabilities. One vulnerability occurs an attacker can write data outside of an allocated heap buffer. The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer. Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user.
Both vulnerabilities have a CVSS 2.0 score of 6.8. For more details, please see:
http://zerodayinitiative.com/advisories/ZDI-16-241/
http://zerodayinitiative.com/advisories/ZDI-16-242/
For additional information, please see this advisory from US-CERT: https://www.us-cert.gov/ncas/alerts/TA16-105A