Apple Ends QuickTime for Windows Support Despite Zero-Day Risks
Windows users are left stranded and vulnerable from "true" zero-day vulnerabilities, exploits for which there is no patch and none coming either.Typically, software vendors provide users with some public direction or announcement on when a product will no longer be supported and reaches its end of life. Apparently, that didn't happen with Apple's QuickTime media player for Windows, which is now at risk from a pair of zero-day vulnerabilities that will not be patched. The Zero Day Initiative (ZDI), which is owned by security vendor Trend Micro, issued a pair of security advisories on April 14 warning of zero-day vulnerabilities in Apple's QuickTime for Windows. "The vendor has 120 days from notification until we release our advisory," Christopher Budd, global threat communications manager at Trend Micro, told eWEEK. "They can petition for an extension, which will be evaluated on a case-by-case basis." Source Incite security researcher Steven Seeley reported the two Apple QuickTime vulnerabilities to ZDI. ZDI, which became part of Trend Micro by way of a $300 million acquisition of TippingPoint from Hewlett Packard Enterprise, is in the business of buying vulnerabilities from security researchers and then responsibly disclosing them to vendors so they can be patched. ZDI is not publicly disclosing what it paid Seeley for the vulnerabilities.
According to the ZDI's disclosure timeline, it reported the two QuickTime for Windows vulnerabilities to Apple on Nov. 11, 2015, and Apple acknowledged that it received the vulnerability reports the same day. On March 9, 2016, ZDI was on a call with Apple, where it was informed that QuickTime for Windows was going to be deprecated. At that point, ZDI noted that it warned Apple that the two flaws would be considered zero-days.