U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities
Announced
04/14/2016 03:48 PM EDT


Original release date: April 14, 2016

Systems Affected
Microsoft Windows with Apple QuickTime installed

Overview
According to Trend Micro, Apple will no longer be providing security updates
for QuickTime for Windows, leaving this software vulnerable to exploitation.
[1]

Description
All software products have a lifecycle. Apple will no longer be providing
security updates for QuickTime for Windows. [1]

The Zero Day Initiative has issued advisories for two vulnerabilities found in
QuickTime for Windows. [2] [3]

Impact
Computer systems running unsupported software are exposed to elevated
cybersecurity dangers, such as increased risks of malicious attacks or
electronic data loss. Exploitation of QuickTime for Windows vulnerabilities
could allow remote attackers to take control of affected systems.

Solution
Computers running QuickTime for Windows will continue to work after support
ends. However, using unsupported software may increase the risks from viruses
and other security threats. Potential negative consequences include loss of
confidentiality, integrity, or availability of data, as well as damage to
system resources or business assets. The only mitigation available is to
uninstall QuickTime for Windows. Users can find instructions for uninstalling
QuickTime for Windows on the Apple Uninstall QuickTime page. [4]

References
[1] Trend Micro - Urgent Call to Action: Uninstall QuickTime for Windows Today
[2] Zero Day Initiative Advisory ZDI 16-241: (0Day) Apple QuickTime moov Atom
Heap Corruption Remote Code Execution Vulnerabilit
[3] Zero Day Initiative Advisory ZDI 16-242: (0Day) Apple QuickTime Atom
Processing Heap Corruption Remote Code Execution Vulner
[4] Apple - Uninstall QuickTime 7 for Windows
Revision History
April 14, 2016: Initial Release

----------------------------------------------------------------
-------------- -

This product is provided subject to this Notification and this Privacy & Use
policy.


----------------------------------------------------------------
-------------- -
A copy of this publication is available at www.us-cert.gov. If you need help
or have questions, please send an email to info@us-cert.gov. Do not reply to
this message since this email was sent from a notification-only address that
is not monitored. To ensure you receive future US-CERT products, please add
US-CERT@ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help


----------------------------------------------------------------
-------------- -
This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf
of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray
Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by GovDelivery

=== Cut ===


--
Keep the faith   :^)

   Ben  aka cMech  Web: http|ftp|telnet://cmech.dynip.com
                 Email: fido4cmech(at)lusfiber.net
              Home page: http://cmech.dynip.com/homepage/
           WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1

--- GoldED+/W32-MSVC
 * Origin: FIDONet - The Positronium Repository (1:393/68)