Daily Archives: April 19, 2016

Apple Ends of Support for Quicktime for Windows

Last week Apple indirectly announced that it would be no longer providing support or security updates for their QuickTime player when installed on Microsoft Windows. Please note that QuickTime for Mac OS X is not affected by this change.

Why Should This Change Be Considered Important?
The recent public disclosure of 2 critical security vulnerabilities (detailed here and here) means that QuickTime is currently vulnerable to these issues and will remain that way. These issues were originally responsibly disclosed (defined) to Apple in late 2015. Apple after carrying out a decision making process has concluded that security updates and support for QuickTime on Windows should now be withdrawn. This appears to be due their decision to withdraw this product from their future roadmap (as shown in the ZDI security advisories linked to above).

How Can I Protect Myself From These Newly Disclosed Issues and in the Future?

As recommend by US-CERT as well as Trend Micro and within this InfoWorld article the only certain way to protect yourself from these newly disclosed vulnerabilities is to uninstall QuickTime for Windows.

The above recommendation will also serve to protect you going forward since software that you don’t have installed cannot be exploited (provided there are no remnants/leftovers after uninstalling).

I use QuickTime for Windows for Essential Workflows or Business Purposes, What Can I Use Going Forward?
As detailed in the previously linked to Trend Micro blog post, alternatives such as K-Lite Media Codec pack, QT Lite and Media Player Classic are available as alternatives. If you use QuickTime as a media player only, you could consider the open-source (defined: the source code (human readable code) is free to view and edit by the wider IT community) VideoLAN VLC Player.

Alternatively if none of the above QuickTime substitutes meet your specific needs you could consider installing the most recent version of QuickTime (version 7.7.9) onto a supported version of Windows and then air-gapping that PC. The concept of air-gapping is discussed in-depth in a previous blog post. But as discussed in that post, this approach is not without disadvantages and isn’t 100% safe.

If These Issues Are So Serious Why Is Apple QuickTime For Windows Still Available To Download?
As discussed above QuickTime has many varied uses and simply withdrawing it from the download page would have been even more inconvenient.

In addition, Apple did not publish a timeline in advance for phasing out QuickTime and possibly for this reason it remains available so as not to inconvenience existing users. This also allows anybody using any version prior to 7.7.9 to update to the most recent version to protect against previously resolved vulnerabilities.

==========
I hope that this information is useful to you as you gradually transition from QuickTime for Windows in order to avoid possible exposure to the above mentioned vulnerabilities as well as future vulnerabilities that may be discovered.

Thank you.

VMware Security Updates Address Potential Man-in-the-Middle Attack

In the latter half of last week VMware released security updates for the following products:

  • vCenter Server v6.0 (prior to 6.0 U2)
  • vCenter Server 5.5 U3a – U3c
  • vCloud Director version 5.5.5 for Windows
  • vRealize Automation Identity Appliance version 6.2.4 for Linux
  • Client Integration Plugin for Apple Mac OS X and Windows

These updates resolve a potential man-in-the-middle-attack (MiTM)(defined) that is caused by an error in how the VMware Client Integration Plugin handles session content. This issue was assigned the CVE number (defined) CVE-2016-2076

Why Should This Issue Be Considered Important?
If an attacker were to successfully exploit this issue it may lead to the disclosure of the information within the client session between the server (as a result of the man-in-the-middle-attack). This issue could also result in the session between the client and the server becoming hijacked if the user of the vSphere Web Client were to visit a malicious website.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Please note that both the server side (namely (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) and client side devices (i.e. Client Integration Plugin (CIP) of the vSphere Web Client) that communicate during a session must be separately updated to protect against this issue.

A step by install checklist to perform these updates for the affected products is also provided in the above mentioned advisory.

Thank you.