QuickTime for Windows: A Cautionary Tale
In 2003, Apple made iTunes available on Windows XP and 2000, securing a foothold in the portable media devices market by allowing anyone to use an iPod, regardless of PC or Windows. It wasn’t long before QuickTime made its way to Windows in 2005, building towards a major growth in mobile tech in the years to come. This was a different time though; Apple was still an underdog in the mobile industry, and it’s triumphant march to market dominance with the iPhone was years away. Apple had to cater to users needs across all platforms to grow. 10 years later, the game has changed.
“Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform, and recommend users uninstall it.”
Earlier this week, Trend Micro reported that Apple is ending support for QuickTime on all Windows Platforms (XP, 7, 8, 10). In addition, the Zero Day Initiative released details regarding 2 vulnerabilities, ZDI-16-241 and ZDI-16-242, affecting QuickTime for Windows. Both vulnerabilities have a CVSS score of 6.8, and were released in accordance with the organization’s Disclosure Policy when a vendor does not issue a security patch for a reported vulnerability.
This vulnerability is being disclosed through the Zero Day Initiative (ZDI) publicly without a patch because vendor (Apple Inc.) has indicated that the product is deprecated.
11/11/2015 – ZDI reported 2 vulnerabilities to the vendor
11/11/2015 – The vendor acknowledged receipt of both reports
02/29/2016 – ZDI wrote to the vendor requesting a status update
03/08/2016 – The vendor replied, inviting ZDI to a call
03/09/2016 – ZDI joined a call with the vendor:
ZDI was advised that the product would be deprecated on Windows and the vendor would publish removal instructions for users.
ZDI advised the vendor that the cases would be 0-day.
03/24/2016 – ZDI notified the vendor of the intent to 0-day on or after 4/13
04/01/2016 – The vendor acknowledged and provided a link to their removal instructions.
Apple has provided instructions to users through a QuickTime Uninstall Support Page in reaction to the disclosure of the 2 high-severity findings in question. These vulnerabilities allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime for Windows. User interaction is required to exploit this vulnerability, in that the target must visit a malicious page or open a malicious file. Details on each specific findings are as follows:
- ZDI-16-241 – Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerability: This specific flaw exists within the moov atom. By specifying an invalid value for a field within the moov atom, an attacker can write data outside of an allocated heap buffer. An attacker could leverage this to execute arbitrary code under the context of the QuickTime player.
- ZDI-16-242 – Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability: This specific flaw exists within atom processing. By providing an invalid index, an attacker can write data outside of an allocated heap buffer. An attacker could leverage this to execute arbitrary code under the context of the QuickTime player.
Perhaps most compelling of all has been the Department of Homeland Security’s swift and immediate direction to Windows users running QuickTime: “Uninstall immediately.”
QuickTime for Windows will continue to function nominally after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.
“Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.”
While ending Quicktime for Windows support represents a meaningful change of heart for Apple in cross-platform compatibility, it begs the question of whether or not the trend will continue. Over 10 years ago, it was Walt Mossberg that swayed Steve Jobs to ship iTunes to Windows, building a user base that stands independent of the unending Mac V. PC struggle for dominance. Now, as the company commands much wider footprint in the desktop and mobile space, Apple CEO Tim Cook may take a different approach than his predecessor.
While leading security experts advise the only mitigation to these vulnerabilities is to uninstall QuickTime on Windows, perhaps Apple executives may advise a different approach: abandon Windows and upgrade to Mac to continue experiencing the most up-to-date version of QuickTime available.