Quicktime for Windows has a critical vulnerability

Cyber security company Trend Micro has uncovered two critical vulnerabilities in Quicktime for Windows. The intra-OS version of the program is being phased out. Apple has announced that there will be no more security patches. OS X versions of Quicktime are not affected.


Quicktime for Windows has expired and is full of holes

See ya Quicktime

Trend Micro chose to release the advisories by following their Disclosure Policy. When a vendor does not issue a security patch they send an advisory.

Zero Day Initiative released two bulletins, ZDI-16-241, and ZDI-16-242 setting out the vulnerabilities. No attacks exist at the minute, but users should uninstall immediately.

“[B]oth of these are heap corruption remote code execution vulnerabilities. One vulnerability occurs an attacker can write data outside of an allocated heap buffer.

The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer.

Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user.”

– Christopher Budd (Trend Micro)

So if you are still using Quicktime for Windows, it is time to switch it up. The good news is that there are plenty of (better) options. VLC, 5K Player or KM Player will see you through.

Despite support ending in April 2014 more than 10% of desktop computers worldwide still run Windows XP. It is worth checking out work computers and those of family members. Anyone who might not keep up with regular patches and updates.

How to uninstall Quicktime for Windows

  1. Click Start
  2. Control Panel
  3. Programs and Features
  4. Select Quicktime and click uninstall


Other software you should not be using

  • Windows XP – Support ended on April 8, 2014, for this yugely popular operating system.
  • Office 2003 – You definitely used to use this, and it died with XP
  • Windows Server 2003 and 2008 – The backend can be slow to refresh in SMEs, sometimes