When Apple announced that it would discontinue security updates for QuickTime for Windows, it set of a chain reaction that culminated in a warning from the U.S. Department of Homeland Security to remove the program. Now Adobe joins the masses scrambling for a solution.
Apple told cybersecurity firm Trend Micro that it is “deprecating” QuickTime for Windows. They will no longer produce security updates, despite two security holes that are so dire they could allow an attacker to actually take control of a Windows PC with the video player installed.
First, Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.
Second, our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability. And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched. [emphasis added]
Trend Micro’s “Zero Day” policy prompted them to issue this “urgent call to action” on their blog, imploring all QuickTime for Windows users to uninstall the software immediately. The risk is so great that the U.S. government joined its voice with Trend Micro, issuing their own alert through the United States Computer Emergency Readiness Team:
Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems. [emphasis added]
As US-CERT reminds us, all software has a life span. It’s the sudden cut-and-run nature of Apple’s transformation of their Windows QuickTime platform that has created such a furor, and with good reason. Most people may not even realize that they have QuickTime installed, and will need to check their Program Manager to ensure it’s removed.
Meanwhile, Adobe has begun a furious scramble to extricate itself from dependencies on the QuickTime video codecs in its “professional video, audio and digital imaging applications and native decoding of many .mov formats is available today.”
In a brief message to Adobe product users from Madison Murphy on behalf of its Customer Care Team, the company suggested limited workarounds for processes that “unfortunately” rely on the abandoned format. In the meantime, they have worked “extensively” to remove those dependencies altogether. According to the post, this is all part of the plan.
Adobe’s desire has always been to support everything natively without the need for QuickTime. As a result of the above we intend to increase our efforts to remove these incompatibilities, and provide our customers with a complete native pipeline. We will provide more information on this as we progress.
Graphics.com’s Chris Dickman isn’t buying any of it. The founding editor has provided his own translation of Adobe’s message, and it’s a bit less flattering:
Unfortunately? Let me paraphrase that for you: “We didn’t see this coming, your systems are compromised if you keep using our software and we will make no committment to fixing this.”
Sweet. Of course, Windows users are just expected to suck that up. Although all hell would have broken loose if Adobe’s Mac-based video community had been put at similar risk.
He also brought up Adobe’s recent security gaffe regarding vulnerabilities that may have compromised users in its “Creative Cloud,” comparing Adobe’s widely-used “Flash” video player to a “malignant organism” and advises that if you have it, you should “kill it now.”
While Apple and Adobe focus on covering their exposed digital posteriors, users remain the ones left in the cold. And while Trend Micro has yet to find any instances of these critical vulnerabilities being exploited in the wild, it’s only a matter of time for motivated virtual attackers.
Follow Nate Church @Get2Church on Twitter for the latest news in gaming and technology, and snarky opinions on both.