The Zero Day Initiative, a group whose function is to seek out brand-new vulnerabilities in software and report those back to the publisher, announced an alarming find last week. ZDI uncovered two security flaws in Apple’s QuickTime software, then reported those to Apple. The resulting response was something along the lines of, “Oh well, we’re dumping QuickTime anyway.”
That’s a serious oversimplification of what was probably a really well-thought out response from their tech and PR departments, but that was the gist of it.
Originally an Apple computer application, QuickTime powers multimedia content. A Windows download came along later, ostensibly to reach those users who were PC devotees when it came to computing, but Apple product fans when it came to their mobile devices. QuickTime allowed that compatibility between video content on your iPhone and redirecting it through your PC, for example.
There is no evidence yet that anyone has used these two newly discovered vulnerabilities in a malicious way, but experts aren’t taking any chances. ZDI has instructed Windows users to delete QuickTime, as has the US federal government. According to a statement from the US Computer Emergency Readiness Team, “Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.” The document continued, “Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows.”
Apple has not yet announced when it will end compatibility for QuickTime altogether; this news only points to the lack of future updates.