The reason you should uninstall Quicktime for Windows immediately
Software being abandoned by its developers isn't new, but there are solid reasons why Quicktime for Windows shouldn't just languish in a folder on your PC. That's because it's for more reasons than just good housekeeping that Windows users should uninstall Apple's Quicktime today, given exactly the potential security risks that have been identified by researchers.
According to the Zero Day Initiative, two different potential exploits – known as ZDI-16-241 and ZDI-16-242 – have been observed in the most recent release of Quicktime for Windows. Detailed publicly earlier this week, they rely on a user visiting either a compromised webpage or opening a compromised file.
Should that happen, the exploit takes advantage of what are known as "heap corruption remote code execution vulnerabilities", where memory allocated to an application is corrupted intentionally so that it can be used to run other code.
Each of the two identified exploits would allow that code to run in slightly different locations and ways, but either way it could lead to malware being installed or system instabilities. In a potential worst-case scenario, hackers could remotely take control of the user's computer after installing code through the exploit.
According to Trend Micro:
"[Both] of these are heap corruption remote code execution vulnerabilities. One vulnerability occurs an attacker can write data outside of an allocated heap buffer. The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer. Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user."
The problem here is that Apple has effectively ceased any development or maintenance on Quicktime for Windows, and that means that even if security issues are identified, there's nobody working on patching them.
Trend Micro, which runs the Zero Day Initiative, informed Apple that it had discovered the potential problems in November 2015, only to be told in return in early March this year that Quicktime for Windows was being axed. Rather than patching the problems, Apple decided, it would instead advise all users to uninstall the software altogether.
Actually doing that involves going to the Windows control panel, choosing Programs and Features, and then – if you're on Windows 10 – picking the Quicktime app from the list before clicking "Uninstall".
Though the security researchers say that they're yet to see an example of a hack taking advantage of the loopholes in Quicktime for Windows in the wild, the fact that the existence of the potential exploits has been made public could motivate those with nefarious intentions to go hunting for potential victims with vulnerable systems.
Those using OS X on a Mac needn't worry, however, as Quicktime for Mac is not affected.