Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched.
US-CERT cited an April 14 blog post by Christopher Budd at Trend Micro, which runs a program called Zero Day Initiative (ZDI) that buys security vulnerabilities and helps researchers coordinate fixing the bugs with software vendors. Budd urged Windows users to junk Quicktime, citing two new, unpatched vulnerabilities that ZDI detailed which could be used to remotely compromise Windows computers.
“According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation,” US-CERT wrote. The advisory continued:
“Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page.”
While the recommendations from US-CERT and others apparently came as a surprise to many, Apple has been distancing itself from QuickTime on Windows for some time now. In 2013, the Cupertino, Calif. tech giant deprecated all developer APIs for Quicktime on Windows.
Apple shipped an update to Quicktime in January 2016 that removed the Quicktime browser plugin on Windows systems, meaning the threat from browser-based attacks on Quicktime flaws was largely mitigated over the past few months for Windows users who have been keeping up to date with the latest version. Nevertheless, if you have Quicktime on a Windows box — do yourself a favor and get rid of it.
Update, Apr. 21, 10:00 a.m. ET: Apple has finally posted a support document online that explains QuickTime 7 for Windows is no longer supported by Apple. See the full advisory here.
Sure seems irresponsible of Apple to not notify users. Most will not be aware of this.
Maybe Apple could use their software update process to notify users, or ideally provide an opportunity to uninstall.
I agree. I expressed this to Apple quite loudly these past few days. There is no reason not to come out with a simple page that says what’s what and let their customers/users know for sure. Instead, we get confusion and media panic.
Apple update says the following:
every time you turn on your computer you run the risk of infection.
Remove and Replace QuickTime with VLC media player
QT browser Plug-in is vulnerable too , remove it
iTunes is not dependent on QuickTime any more.
QT for Mac’s will be eliminated shortly as well.
Many older Adobe products require QuickTime to be installed and will install it for you, how sweet.
https://www.google.com/search?q=Adobe+products+for+QuickTime+requirement&ie=utf-8&oe=utf-8
in this day and age of billions of network and internet connections across the planet, if you’re using older versions of vendor products that have long ago or more recently been depreciated and are no longer receiving updates, it’s you’re own fault when you get Zapped.
it seems that the general consensus is, it wont happen to me. Ok, let me know how long that works out for you.
besides, QuickTime wasn’t installed in the Windows OS by default anyway. Use VLC Media Player or some open source replacement.
That is all!
Out
QuickTime 7 on OS X has long since been eliminated, though its still available for people who need it (e.g. anyone who uses Quicktime to play videos, since the new player lacks even basic features).
Quicktime X on OS X is not likely to go anywhere, since Final Cut X, iMovie, iDVD, etc. are built on top of it. Quicktime X was a ground-up rewrite of Quicktime, whereas Quicktime 7 is legacy code. I’m surprised Apple kept updating Quicktime 7 on Windows for this long, they abandoned that code base on OS X long ago.
I wonder how Microsoft is going to deal with not having Quicktime around? Their approved way of embedding .MP4s into Powerpoint, etc. documents is to use Quicktime. I’m going to guess they won’t deal with it and will just try to brush it under the rug. “Convert everything to our proprietary formats!”
So QT is NOT a proprietary format? That’s news to me. Funny, when Microsoft has a format, it’s proprietary, but when Apple has it, it’s a cross between perfect and legendary.
Too bad alot of DVRs require QuickTime to view live or recorded data via their web interface and most of the customers we have are too stupid to know to only use Internet Explorer for a single function.
US-CERT cites Trend Micro, but Trend Micro doesn’t say anything to support their claim that Apple has abandoned Quicktime for Windows. I agree that it’s not good to run software with vulnerabilities, but the reporting is sketchy.
Actually, Richard, if you click on the two different ZDI advisory links, you can see a timeline for both where they say Apple alerted them that they would be deprecating QT”
http://www.zerodayinitiative.com/advisories/ZDI-16-242/
This vulnerability is being disclosed publicly without a patch because vendor indicates that the product is deprecated.
11/11/2015 – ZDI reported 2 vulnerabilities to the vendor
11/11/2015 – The vendor acknowledged receipt of both reports
02/29/2016 – ZDI wrote to the vendor requesting a status update
03/08/2016 – The vendor replied, inviting ZDI to a call
03/09/2016 – ZDI joined a call with the vendor:
ZDI was advised that the product would be deprecated on Windows and the vendor would publish removal instructions for users.
ZDI advised the vendor that the cases would be 0-day.
03/24/2016 – ZDI notified the vendor of the intent to 0-day on or after 4/13
04/01/2016 – The vendor acknowledged and provided a link to their removal instructions
Brian, the problem is the ZDI postings, like the Trend Micro blog posting, are simply hearsay. It’s a third party making claims on behalf of Apple regarding Apple’s software lifecycle. While Trend Micro and US-CERT are both reasonably trustworthy sources in my book, they’re still not a substitute for getting product information directly from the vendor. In this case I think you and the rest of the media are being far to lenient with Apple regarding what is a huge communications gaffe on Apple’s part. Hey, you can tell them I said that, for what good it will do. 😉
They need to grow up and publish some sort of software lifecycle, with a minimum of clearly stated end-of-life announcements.
s/far to lenient/far too lenient/;
Stupid fingers….
Which is why Apple should say something, no? Why is it that Mac people pretend that Apple can do no wrong, and seek to blame all these “third parties” for speaking out of turn. I would think that for the billions Apple rakes in, they could spend a LITTLE of that money on a PR person that can respond to this type of stuff, that is after all coming out from HOMELAND SECURITY and impacting virtually every Windows user of an APPLE product, that they abandoned virtually without warning and with a horrendously embarrassing “fix” of uninstalling, even though there are a bevy of Apple products that RELY on QT. So one idiot at Apple comes up with a hair-brained scheme to stiff Microsoft by just saying “uninstall it” without having at least ONE other idiot at Apple test what the impact of that is. Funny, as soon as I read this in media my response was to NOT uninstall until we determine what impact uninstalling would have. This is 100% pure common sense. Apple should be embarrassed. But as long as their stock price doesn’t move, I imagine they won’t care if their corporate negligence causes Windows users of their products to lose their systems. If they think this ends up a black eye on Microsoft, they’re wrong.
….But. Apple make some vague claim that it has addressed the related issues referenced on the ZDI’s site – hence the QuickTime version for Windows 7.7.9 released on the 7th January this year. So does that mean the real problem is Apple’s incredibly poor manner of announcing the deprecation of the Windows version of QuickTime? I found a little sentence buried on their site mentioning the end for QuickTime for Windows. However, today I received a popup for QuickTime announcing the 7.7.9 “security update” on a Windows 7 system. No information what so ever that it will no longer be supported.
“First, Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.”
http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/
What about iTunes? I thought iTunes used a lot of the QuickTime code.
What is the vulnerability, really, if the QuickTime browser plug-in is no longer installed since January? Is that mitigation by itself sufficient?
off-topic: The “…most of the customers we have are too stupid…” comment smacks of contempt for customers, and misses the point about security. I’m not saying it’s untrue, because many people are “too stupid” from time-to-time, and good security should depend as little as possible on the user.
iTunes is not dependent on QuickTime any more.
I was working on my daughters machine over the weekend backing up her iPhone, iTunes wanted an update and the Apple Update Utility was still offering QuickTime on Windows as an installation option. Apple should really remove it from the update utility.
This is very irresponsible of Apple after pushing QuickTime on Windows for many years. Now we’re stuck with all those devices that only produce QuickTime format videos such as many types of cameras.
email the vendor about that, if the device is not in production anymore then you know the drill. but if it is, request that they fix it. other than that, don’t buy products that don’t support formats you don’t or can’t use anymore. that’ll send a message to the OEM’s that create useless stuff.
Annoying, as noted earlier though, open source VLC Media Player will play your Quicktime movies securely.
Weird: as of Monday 4/18/2016 Apple is still offering quicktime for windows here:
http://www.apple.com/quicktime/
Windows XP in the screenshot. Is that IE 6?
LOL.. … Yes, it is 🙂
Windows XP in the screenshot.
Even if Apple pulls all QT4Windows downloads now, there are many other Websites that host many different past releases of QT.
Anybody know of a good (and free) QT->MP4 transcoder?
MP4 is based on the quicktime container format. If it’s MPEG4 encoded, just rename .qt to .mp4 😉
If not, then perhaps the quicktime alternative codec package might have a transcode option.
Just to be clear, the browser plugin is the largest infection vector. If there’s viruses in Quicktime container aka MPEG4 files (now a W3C HTML5 standard), then we’ve got a much bigger problem to deal with.
This leaves some Adobe Creative Cloud users in an awkward spot: http://www.graphics.com/article/creative-cloud-chronicles-adobe-fails-mitigate-quicktime-windows-threat
It sounds like Apple thinks its perfectly okay to be irresponsible. Software vulnerabilities are one biggest problems we have these days.
Please keep on pushing them. Automatic uninstall sounds good to me.
On my system any number of programs have installed or attempted to install various Apple based programs. Many of those Apple based programs have either installed or attempted to install Quick Time. Through last Fall I would sometimes see a request to make Quick Time a default any number of video or audio types. I always said no. I became tired of the kerfuffle and with this recent announcement a few days ago I simply removed ALL Apple generated or originated software. Simple process via ‘add and remove programs’ and with scanning my machine it appears to have been successful.
I do use VLC Media Player, HTML5/HTML5.js and a sand-boxed version of Flash as needed. I look forward to no longer needing flash in my environment, but that has not yet happened.
I’m trying to verify if this includes the quicktime browser plugin??
I can cleanup QT on our corp machines… but wondering if I need to look for QT plug ins?
Does that mean that Microsoft’s Media Player may some day recognize device orientation if iPhones? The only reason I still use QT is because it is the only software on a WIN box that won’t play my iPhone videos sideways or upside-down 🙁 ???
I think you’re supposed to use OSX-based computers in conjunction with iPhones since they are both Apple products.
I haven’t tested it, but… I think vlc [1] 2.1+ should “just work”
Apparently iPhones include some exif information describing rotation, and clients (such as vlc 2.0, and presumably wmp).
Windows Movie Maker [2] and various other tools [3] should also be able to “fix” this problem (on a permanent, but one-off basis).
[1] http://www.videolan.org/vlc/download-windows.html
[2] http://windows.microsoft.com/en-ca/windows/movie-maker
[3] https://www.iskysoft.com/video-editing/video-rotate-tools.html
Perhaps a class action lawsuit against Apple is in order if they fail to notify the public or attempt to auto-uninstall the production or provide a patch.
Engineer-speak at its finest. To “deprecate” is to “criticize.” That is not what Apple is doing here.
Just like “populate” and “migrate” do not mean what some engineers seem to think they mean.
It’s worrisome when the real meanings of words get changed by people with some sort of power, just like in “1984.”
deprecate: “express disapproval of”. Makes sense to me why “engineers” use it. Sounds less like 1984 and more like people inventing new technology trying to find words to describe things.
Or possibly words can acquire new meanings as the language evolves to accommodate new things.
https://en.wiktionary.org/wiki/deprecate
deprecate: (v) [2] To declare something obsolescent; to recommend against a function, technique, command, etc. that still works but has been replaced.
To ‘deprecate’ something is to express disapproval of that thing. Which is exactly what software engineers mean when they talk about code which they no longer approve of. Migration does not only refer to human migration. We talk about cell migration , bird migration , insect migration. We talk about ion and free radical migration. Neither of these two are ‘organic’ as such. If you go to the Oxford dictionary for the word ‘population’ you will find that it has a a biological , an astronomic and a statistical meaning. It’s statistical meaning applies within the context of data processing.
Language is important and the world needs language warriors. But squire — they must be righteous warriors. I am still waiting for one to come along and slay the word ‘instantiate’.
Depreciate not depricate.
Oddly enough, although I have heard many say depreciate, looking at definitions, deprecate seems appropriate. I stand corrected.
«In general English usage, the infinitive “to deprecate” means “to express disapproval of (something)”. It derives from the Latin verb deprecare, meaning “to ward off (a disaster) by prayer”. Thus, for one to state that a feature is deprecated is merely a recommendation against using it. It is still possible to produce a program or product without heeding the deprecation.»
«The term deprecated may also be used when a non-computer technical term becomes obsolete, either through change or superseding. Before being re-recognized as a unique genus, an example in paleontology was the (no longer) deprecated term Brontosaurus, the formerly popular name for the genus Apatosaurus. Examples from medicine include consumption (tuberculosis), grippe (influenza), and apoplexy (stroke).»
From Wikipedia[1]. Basically, you’re complaining that some English speakers (programmers, architects, scientists) are familiar with Latin (and Greek).
«But again, why use “dead” languages, Latin and Classical Greek, to form scientific and technical terms? First, it is traditional—as we saw above. Second, in a “dead” language, the meaning of a word does not change. It is frozen. Callus will always mean ‘hard skin’ in Latin. In a living language, words acquire new meanings. In 1930, acid meant a chemical like the acetic acid in vinegar. Nowadays “acid” is English slang for LSD, a dangerous hallucinogenic drug. Because precise meaning and precise use of words is crucial in all forms of scientific communication, it helps to be able to make new medical terms from Latin and Greek roots whose meanings do not alter over time.»
[1] https://en.wikipedia.org/wiki/Deprecation
[2] http://www.billcasselman.com/opening_page_two/botany_names_two.htm
Glad to hear their last patch unplugged from the browser–checking that was my next thought as I read. Though I disabled the browswer plug-in a while ago, it is a little bit responsible of Apple to address that in a patch for the users, as they did. I just wish I knew we were abandoned back in 2013. Thanks for the heads-up (BK). When I updated to QT 7.something.79, the most recent version, I didn’t read anything & presumed it was just a simple bug-and-codec patch as before. We (I) really need to read patch info more often. Can anyone suggest good places to go for finding out what a patch does? In Windows 7, I know I can click on “More information” for each individual patch to get to support.microsoft.com/kb/########
Any other good summary places?
Good question.
I’d hope that Secunia’s Personal Software Inspector [1] would be able to do that. (n.b. I don’t use it.)
One approach (really rough) is to search the CVE database directly [2]. Entries should point to the vendor report, give you the ability to figure out which versions were affected / fixed (and in what release), and a technical explanation of the flaw.
[1] http://www.flexerasoftware.com/enterprise/products/software-vulnerability-management/personal-software-inspector/tab/features
[2] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=quicktime
Sometimes, it’s best to forget all about the idea of updating and just stop using something…..then remove it completely.
I stopped using Quicktime many many years ago. I have no use for it.
Groan!
It’s 2016 and cross platform video presentations remain completely borked.
any Mac-produced mp4 video content imported to PowerPoint presentations invariable breaks PowerPoint.
Whenever this happens in a public talk, I mildly curse MS, then fire up the video in QuickTime.
Cursing Apple must now be added to this workflow of fail.
If MS could play open standard MP4 content reliably, then no one would care about QuickTime on Windows. But Windows can’t after all these years and therefore probably never will.
Ideally for polished presentations it would be best to migrate away from MS and PowerPoint completely, which is undoubtedly behind this, but that also remains unrealistic .
Have you tried VLC player? It’s free opensource
I am confused about this topic. I have all itunes loaded on my windows PC. Will my itunes still play if I remove quicktime? Or do I need to replace it with another program. Lastly, I converted all MPEG itunes files to ACC, advanced audio coding, will I need to convert back to MPEG files?
“Will my itunes still play if I remove quicktime? Or do I need to replace it with another program. Lastly, I converted all MPEG itunes files to ACC, advanced audio coding, will I need to convert back to MPEG files?”
Yes, no, and no.
(I’m assuming you meant you convert MP3 sound files to AAC, not videos to the Atlantic Coast Conference….)
As other commenters have said, iTunes no longer depends on QuickTime in any way; also, there are plenty of other media players that support AAC, like iTunes, Windows Media Player, and security-conscious favorite VLC.
Basically the only reason you’d need QuickTime is for the plugin, for those legacy websites and Web-based control panels that used it: Every other use of QuickTime, including playing every format that QuickTime supports, can be performed with an alternative.
I cannot begin to tell you how upset I am with Apple’s cavalier blow-off of its loyal subscribers. Over the years, Apple has pushed Quicktime onto Windows users, and now it’s throwing them under the bus. Many cameras, such as Nikon and Canon, use .MOV (Quicktime) for recording video.
Picasa, probably the world’s most popular photo organizer, with many millions of users, will only play video that also plays in Windows Media Player (no longer available in Win 10) or Quicktime (no longer supported). Picasa apparently uses Quicktime code, since after I deleted QT, I had to reinstall it in order to play videos in Picasa.
In other words, uninstalling QT is not feasible if you use Picasa, as do many millions of people.
Why limit yourself that way?
I made the decision a very long time ago to not use .mov simply because of Quicktime. It isn’t needed and it’s too proprietary. I know some kind of player is needed. I would recommend VLC. The way I see it, if VLC can’t play it then it isn’t anything I need.
As for photo organizers….come on man!
Organizing .jpg’s should be the easiest thing in the world. Why torture yourself with someone else’s ideas (and code) of how to arrange these things. The family photo album is special and really shouldn’t be subject to any form of software update. That’s not to mention that using other people’s software to organize these things just becomes something else to update and worry about when it comes to vulnerabilities. Particularly since organizing this stuff really doesn’t even need software to begin with. It’s a lazy way of doing things.
The bottom line with this is that it all becomes useless software that ends up creating problems. These machines are so much more powerful than that. Take control of your stuff or your stuff will take control of you.
Picasa is as dead as Quicktime for Windows.
https://picasa.google.com/
My first experience with Apple Quicktime was at a military organization. They wanted it pushed to all computer systems (minus servers) so that they could utilize a feature where it would show a part of the movie in a link inserted into a website. I was like Really? Ever hear of a JPG photo made from a screen capture?
That year, there are about 6-7 updates. Ever since that debacle, if I see it on an image, I am quick to point out all my experiences with software of any type that is pretty much useless on a windows box.
I am gald to see, at least a decade later, some of these people coming to life and kicking out old and antiquated software.
So the annoying part is that we’re told to remove things like QuickTime, Flash and Java yet there are hundreds/thousands of apps/sites/media that rely on them.
Is there a plan to resolve this? Um, no. Just don’t use it.
It’s good to see Brian on this, but where are the developers who created all the QuickTime/Flash/Java content? What are they doing? Nothing. What Apple, Adobe and Sun? Nothing either.
Well…
Most of the developers who created that content are no longer affiliated with that content. It’s like complaining about the guy who wrote a news article in the year 1912 [1][2]. Sure the article is still around, but, can you really expect someone to change it.
There are solutions though. The Internet Archive hosts quite a bit of old content and allows you to use it in your web browser [3] — they do this by using a series of emulators (typically a C based pc/dos emulator + a C to JS compiler). Eventually someone could probably do the same thing for Java (Google for instance has GWT which is a system that converts [a subset of] Java to JavaScript). There are also tools to convert Flash to HTML5, and of course these days your average web browser uses JavaScript to convert PDFs to HTML5.
[1] http://www.titanicuniverse.com/wp-content/uploads/2012/01/titanic-unsinkable.jpg
[2] https://www.rd.com/wp-content/uploads/2012/03/unsinkable-titanic-original-RD-pa.jpg
[3] https://archive.org/details/classicpcgames
My husband is terrified to delete QuickTime. He has ITunes version 12.0.1.26 and is afraid that if he deletes QT that all his 10,000 songs will go with it. I keep explaining that QT and ITunes are not “together” as they once were.
So, since you seem to know what you’re talking about, could you please, please, make him feel better that he will NOT lose his 10,000 songs and it is quite safe to delete QT? I have already done so on my computer and to prove to him it still worked, I downloaded a new CD into my ITunes. Everything worked fine.
Any advice to HIM would be helpful here! Thank you!!
Suzy Carr
Suzy, If he’s terrified of losing the songs, he should have a backup!
What if his computer crashed, would he lose everything? Does he have any backups?
A 2tb portable USB backup drive is under $100 nowadays.
Backup the music or computer, then remove QT. Nothing should happen, but if it does, you have the backup, which everyone should have anyways in case of a crash!
Suzy
Ask him how he will feel if his system is compromised by a zero day that is not patched and he loses more than just his songs. The only functionality he will lose by not having QuickTime is the ability to play certain video formats (apple). To be extra safe have him run a backup of his iTunes first, but he’s already doing this anyway right? to protect his music he loves so much?
Backup iTunes
https://support.apple.com/en-us/HT201625
Suzy:
I understand your looking for something to make him feel better. I’m asking you to consider what it means when you say “My husband is terrified to delete QuickTime.”. Those songs are not worth the kind of control they have over him. It’s not much different from a drug.
Mikeyp:
Websites that require quicktime, java, and flash should be avoided. The only useful websites that use flash are speed test sites and even that has work arounds. Consider this websites ….. no flash, java, or quicktime required here. I know that many people must use these things for their jobs and all of that is on the employer. Keep it on company machines and don’t get your hands dirty and you will be ok. There are alot of things out there that look good and have all that shiny beads and shallow flattery. Consider that the webmasters that run those sites already know the dangers they put you in by doing things the way they do. They break their own sites and very likely don’t even see it. They probably think they are doing good things.
what about updated version of java 8.9?
sorry it should be java 8.91
correct me it should be version java 8.91. sorry!
Well those of us that use CVSS based vulnerability management platforms are being told to remove QT from Windows systems.
https://www.tenable.com/plugins/index.php?view=single&id=90544
It’s a bit ironic that in the same month that Linux userspace API’s get ported to Windows, the MacOS APIs get deprecated. QuickTime was a port of many MacOS APIs to Windows.
A lot of bouncing around the topic, and I’ve posed this question on the initial Trend Micro post, via Twitter, and sent it directly to a few security researchers…with ZERO response. This tells me I’m either an idiot and not worthy of response…or possibly, that this is a much larger issue that a player or API vulnerability.
Has the heap overflow issue with .MOV files, specifically the moov and index atoms, been tested with other players, editors, and frameworks? In other words, could an attacker use FFmpeg, Sorenson Squeeze, Telestream or another to create a malicious .MOV file that can leverage these vulnerabilities when played back in Windows Media Player, VLC, MPC-HC, GOM, Adobe, Avid, and every other piece of multimedia software out there?
HELLO? Is this thing on???
All this bickering about if there’s official news coming out of Apple or not should now be settled. Apple’s official notice is now part of Krebs story above:
https://support.apple.com/kb/DL837
“Important: QuickTime 7 for Windows is no longer supported by Apple. ”
They say it’s not needed anymore since the newer windows have support built in.