The Zero Day Initiative has publicly disclosed a pair of serious vulnerabilities in Apple QuickTime for Windows that will not be patched because Apple is deprecating the product for the Microsoft platform.
US-CERT today pushed out an alert advising QuickTime for Windows users that the only mitigation is to uninstall the software.
“Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats,” US-CERT said. “The only mitigation currently available is to uninstall QuickTime for Windows.”
Public disclosure of the two bugs hastens the urgency for users to distance themselves from QuickTime for Windows. Both vulnerabilities expose Windows machines to remote code execution.
ZDI said it disclosed the issues to Apple on Nov. 11 and after a status check in February, ZDI was invited to a briefing with Apple in March where it was notified that Apple would no longer be supporting QuickTime on the Windows platform. Apple also said it would publish directions for users wishing to uninstall the software.
Both bugs, ZDI said, allow attackers to execute code remotely, but only after the user either opens a malicious file or visits a website hosting an exploit.
One flaw exists in the moov atom, ZDI said.
“By specifying an invalid value for a field within the moov atom, an attacker can write data outside of an allocated heap buffer,” ZDI said in its advisory. “An attacker could leverage this to execute arbitrary code under the context of the QuickTime player.”
The other flaw was discovered within atom processing, ZDI said. “By providing an invalid index, an attacker can write data outside of an allocated heap buffer,” the advisory said.
Apple last patched QuickTime for Windows on Jan. 7 when it pushed out QuickTime 7.7.9. Nine vulnerabilities were patched in the update, which addressed a number of memory corruption issues that could lead to the application crashing and an attacker taking advantage of the situation to run arbitrary code.