Cyber security company Trend Micro has uncovered two critical vulnerabilities in Quicktime for Windows. The intra-OS version of the program is being phased out. Apple has announced that there will be no more security patches. OS X versions of Quicktime are not affected.
Trend Micro chose to release the advisories by following their Disclosure Policy. When a vendor does not issue a security patch they send an advisory.
“[B]oth of these are heap corruption remote code execution vulnerabilities. One vulnerability occurs an attacker can write data outside of an allocated heap buffer.
The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer.
Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user.”
– Christopher Budd (Trend Micro)
Despite support ending in April 2014 more than 10% of desktop computers worldwide still run Windows XP. It is worth checking out work computers and those of family members. Anyone who might not keep up with regular patches and updates.
How to uninstall Quicktime for Windows
- Click Start
- Control Panel
- Programs and Features
- Select Quicktime and click uninstall