Typically, software vendors provide users with some public direction or announcement on when a product will no longer be supported and reaches its end of life. Apparently, that didn’t happen with Apple’s QuickTime media player for Windows, which is now at risk from a pair of zero-day vulnerabilities that will not be patched.
The Zero Day Initiative (ZDI), which is owned by security vendor Trend Micro, issued a pair of security advisories on April 14 warning of zero-day vulnerabilities in Apple’s QuickTime for Windows.
“The vendor has 120 days from notification until we release our advisory,” Christopher Budd, global threat communications manager at Trend Micro, told eWEEK. “They can petition for an extension, which will be evaluated on a case-by-case basis.”
Source Incite security researcher Steven Seeley reported the two Apple QuickTime vulnerabilities to ZDI. ZDI, which became part of Trend Micro by way of a $300 million acquisition of TippingPoint from Hewlett Packard Enterprise, is in the business of buying vulnerabilities from security researchers and then responsibly disclosing them to vendors so they can be patched. ZDI is not publicly disclosing what it paid Seeley for the vulnerabilities.
According to the ZDI’s disclosure timeline, it reported the two QuickTime for Windows vulnerabilities to Apple on Nov. 11, 2015, and Apple acknowledged that it received the vulnerability reports the same day. On March 9, 2016, ZDI was on a call with Apple, where it was informed that QuickTime for Windows was going to be deprecated. At that point, ZDI noted that it warned Apple that the two flaws would be considered zero-days.
Both the ZDI-16-241 and ZDI-16-242 flaws in Apple’s QuickTime for Windows are memory heap corruption remote code execution vulnerabilities. “Both vulnerabilities can be exploited by malicious Web pages that the user would have to navigate to,” Budd said.
The two issues are specific to Apple’s QuickTime on Windows and do not impact QuickTime on the OS X operating system.
The only public response Apple has provided to date for the QuickTime issue is a link to a support page providing uninstall instructions.
“Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins,” Apple stated. “Removing legacy browser plug-ins enhances the security of your PC.”
The fact that Apple didn’t provide notice for ending support of QuickTime for Windows ahead of ZDI’s vulnerability report wasn’t necessary a surprise for Budd and Trend Micro.
“I wouldn’t say we were surprised, but there is no public timeline for support ending for QuickTime like you have with Microsoft and their products or Oracle with theirs,” Budd said.
Going a step further, while ZDI has now publicly disclosed two flaws in Apple’s QuickTime for Windows, there could well be additional security vulnerabilities in the software that haven’t yet passed ZDI’s 120-day disclosure policy.
“We make a list of upcoming advisories available here: http://www.zerodayinitiative.com/advisories/upcoming/,” Budd said. “To protect everyone, we don’t go into any more detail than is provided there.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.