Computerworld

Federal cyber team tells Windows users to quit QuickTime

Apple's stopped patching the aged media player and vulnerabilities just went public, so yank it, advises US-CERT

The cyber readiness team that's part of the U.S. Department of Homeland Security has advised Windows users to uninstall Apple's QuickTime media player from their PCs.

"Computers running QuickTime for Windows will continue to work after support ends," US-CERT wrote in an advisory published Thursday. "However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows."

US-CERT (U.S. Computer Emergency Readiness Team) based its alert on news Thursday from Trend Micro's TippingPoint group, which said it had been told by Apple that QuickTime on Windows had been deprecated, or dropped from support, meaning no future security updates will be issued and development has been halted.

The last wasn't new: Apple hasn't significantly upgraded QuickTime for Windows since 2009, when it launched QuickTime X for OS X but didn't port the new player to Windows. The most recent security update for QuickTime on Windows was issued three months ago.

Apple let TippingPoint in on the deprecation because the latter's researchers had forwarded details about two vulnerabilities submitted to its Zero Day Initiative (ZDI) bug bounty program. After TippingPoint asked Apple for a status update on the bugs' patches -- it had handed Apple information about the vulnerabilities in November -- representatives from the Cupertino, Calif. company got on the phone and told the researchers that QuickTime for Windows was a dead product.

On the same day that Apple and TippingPoint talked, Apple published instructions for uninstalling QuickTime from Windows PCs.

Apple has not changed its support policies for QuickTime on OS X, which will continue to receive security updates.

Few Windows users will miss QuickTime: Although the media player was once an integral part of its iTunes, Apple stopped bundling QuickTime with iTunes on Windows in 2011.

Others preceded Apple in dropping QuickTime. In a drawn-out process, Google first began blocking old-style plug-ins from automatically running in the Chrome browser, then last year finished removing support for NPAPI plug-ins such as QuickTime, Microsoft's Silverlight and Oracle's Java.

Mozilla announced similar plans last year, saying then that it would bar virtually all plug-ins built using the decades-old technology by the end of 2016.

Apple used to rely on QuickTime to stream its live events to Windows PCs, but recently switched to HLS (HTTP Live Streaming), an Apple-implemented protocol. Because Windows 10's Edge browser supports HLS, Apple has listed that version of Microsoft's operating system and browser as the sole choice for Windows users who want to view its webcasts.

Apple did not respond to questions about QuickTime for Windows demise, including the support status of the $30 QuickTime Pro on the platform, which the company continued to offer on its website today.