Stop QuickTime at the hurry up!
This week’s announcement from Apple that it would no longer be supporting QuickTime for Windows, the multimedia framework that it developed and has now replaced with AV Foundation, has caused quite a stir.
The issue stems from the fact that there are at least two outstanding bugs in good old QuickTime, which will now never be fixed. They are explained on the ZeroDayInitiative site here.
So gruesome are these nasty little bugsses, which facilitate the usual suspects (remote code execution, data exfiltration etc. etc.) that the US-CERT has issued an advisory that it is time to kill QuickTime for windows on your machines now, in fact yesterday. You can read about that here.
Uninstall instructions can be found here.
Obviously we recommend that corporate SysAdmins get to work on deleting QuickTime using whichever Enterprise tool in use and treat machines with QT still running with extreme caution (see below).
That however is not the end of the story. Step forward our old friends Adobe (yes, them, again).
Unfortunately multiple Adobe components rely on QuickTime and it is going to require major code revision within Adobe products to remove the dependency and the associated gaping un-patchable vulnerabilities. You can just bet that somewhere a 40 something bearded coder is sniggering “I told you we should have written our own” over their Pizza/Coffee breakfast/lunch/dinner.
So if you have to continue to use Adobe products, it is very likely that you could be pwned by playing a seemingly innocuous video (possibly involving an Apple), courtesy of QuickTime for Windows. If you weren’t already worried about Adobe, you should be now!
The emergence of sometimes un-patchable issues in legacy code is something you will have heard us witter on about for years. Its only going to get worse before it gets better and we recommend that our customers have a very thorough understanding of what any machine attached to their network is running, and have the capability to automatically remediate, quarantine or detonate non compliant devices, automatically, very quickly.
ITC’s NetSure360° managed security service has a number of tricks up its sleeve that can provide this functionality, enabling you to relax slightly. We would love to discuss them with you!
Please contact us on: [email protected] or 020 7517 3900.