U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

TA16-105A: Apple Ends Support for QuickTime for Windows; New
Vulnerabilities Announced
04/14/2016 03:48 PM EDT


Original release date: April 14, 2016

Systems Affected
Microsoft Windows with Apple QuickTime installed

Overview
According to Trend Micro, Apple will no longer be providing security
updates for QuickTime for Windows, leaving this software vulnerable to
exploitation. [1]

Description
All software products have a lifecycle. Apple will no longer be providing
security updates for QuickTime for Windows. [1]

The Zero Day Initiative has issued advisories for two vulnerabilities found
in QuickTime for Windows. [2] [3]

Impact
Computer systems running unsupported software are exposed to elevated
cybersecurity dangers, such as increased risks of malicious attacks or
electronic data loss. Exploitation of QuickTime for Windows vulnerabilities
could allow remote attackers to take control of affected systems.

Solution
Computers running QuickTime for Windows will continue to work after support
ends. However, using unsupported software may increase the risks from
viruses and other security threats. Potential negative consequences include
loss of confidentiality, integrity, or availability of data, as well as
damage to system resources or business assets. The only mitigation
available is to uninstall QuickTime for Windows. Users can find
instructions for uninstalling QuickTime for Windows on the Apple Uninstall
QuickTime page. [4]

References
[1] Trend Micro - Urgent Call to Action: Uninstall QuickTime for Windows Today
[2] Zero Day Initiative Advisory ZDI 16-241: (0Day) Apple QuickTime moov
Atom Heap Corruption Remote Code Execution Vulnerabilit
[3] Zero Day Initiative Advisory ZDI 16-242: (0Day) Apple QuickTime Atom
Processing Heap Corruption Remote Code Execution Vulner
[4] Apple - Uninstall QuickTime 7 for Windows
Revision History
April 14, 2016: Initial Release

------------------------------------------------------------------------------- -

This product is provided subject to this Notification and this Privacy
& Use policy.


------------------------------------------------------------------------------- -
A copy of this publication is available at www.us-cert.gov. If you need
help or have questions, please send an email to info{at}us-cert.gov. Do not
reply to this message since this email was sent from a notification-only
address that is not monitored. To ensure you receive future US-CERT
products, please add US-CERT{at}ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us | Security Publications | Alerts and Tips | Related Resources
STAY CONNECTED:
Sign up for email updates

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help


------------------------------------------------------------------------------- -
This email was sent to Fido4cmech{at}lusfiber.net using GovDelivery, on behalf
of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray
Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 Powered by
GovDelivery

=== Cut ===


--
Keep the faith   :^)

   Ben  aka cMech  Web: http|ftp|telnet://cmech.dynip.com
                 Email: fido4cmech(at)lusfiber.net
              Home page: http://cmech.dynip.com/homepage/
           WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1

--- GoldED+/W32-MSVC