It is quite rare for the US government to issue a warning pertaining to home computer systems (at least when talking about a massive scale), but The Department of Homeland Security has just recently issued an announcement that PC owners should uninstall QuickTime from Windows systems. It is because two vulnerabilities have just been discovered in its code. The primary reason for such vulnerabilities to exist is because Apple is no longer updating the Windows version of their app. The Department of Homeland Security states “the only mitigation” is for users to uninstall the software entirely. Otherwise, they risk “loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets.”
The Department of Homeland Security Issues a Warning for Windows Users to Uninstall, or Completely Remove, Apple’s QuickTime App
The advice offered by the US government echoes that of what has been offered by Trend Micro, which is a security firm. Said company, who is also known for their anti-virus programs, has first noted in their Zero Day Initiative pertaining to two QuickTime vulnerabilities for Windows systems. The security company states that they are not aware (at the time of writing) of any successful attacks wherein hackers have taken advantage of the security holes as of late. However, since Apple is not issuing any more updates or patches to resolve the issue, or any other further problems that the app might have for Windows operating systems, then they will forever remain a “welcome mat” to malicious attacks from here on out.
According to the Zero Day Initiative of Trend Micro pertaining to Apple’s QuickTime app, they dictate that “This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the moov atom. By specifying an invalid value for a field within the moov atom, an attacker can write data outside of an allocated heap buffer. An attacker could leverage this to execute arbitrary code under the context of the QuickTime player,” as what has been stated in the company’s Zero Day Initiative page.
Even though the US government is known to put out security alerts pertaining to specific software, such as QuickTime, with the use of their Computer Emergency Readiness Team (CERT), the solutions to these warnings are often open-ended such as sending out an advice to install an anti-virus program or keep on top of updates.