MU Information Security Elevated Risk Advisory
Apple QuickTime for Windows
Apple has announced that it is ending support for their QuickTime 7 for Windows product. QuickTime for Windows was commonly installed on Microsoft Windows PC’s in the form of a web browser plug-in and stand-alone player to support web-based media; it was also included as a component of the Apple iTunes media management software.
According to the Apple support site, current Windows web browsers already support media playback; and iTunes version 10.5 and later no longer include the QuickTime component.
Impact
Because using unsupported software may increase the risk from viruses and other security threats, members of the Marshall University community are advised to discontinue their use of the QuickTime software for Windows on both University- and personally-owned computers. If you have a business-critical application which specifically requires QuickTime for Windows – not just key media formats such as H.264 and AAC which are already supported by current Windows web browsers – we ask that you please contact the Marshall IT Information Security team to discuss alternative risk reduction solutions.
Solution
Apple, the US-CERT, and the Marshall Information Technology team recommend system users and administrators be aware of the risks associated with unsupported software and take the following actions in response to this advisory:
- Determine if QuickTime is a necessary component for any business-critical applications.*
- Uninstall QuickTime for Windows Software (if you have administrative privileges) and you have determined that it is not needed for machines which you own or manage; or Contact your IT Service Provider (if you do not have admin privileges ) and ask whether QuickTime can be uninstalled;
- Be Aware of Automated Efforts Which Are Underway by the Marshall IT Security team through the use of the Dell/KACE software inventory platform to do the following:
- Compile a list of University-owned computers which still have QuickTime installed
- Schedule KACE Desktop Alerts for machines which still show QuickTime as installed
- Automate the uninstallation of QuickTime for shared-use and centrally-managed machines
- Discontinue installation of QuickTime for Windows software in new system image builds and PC deployments.
*Note: Please contact Marshall IT Information Security and your department IT service provider to let us know if you have a business-critical application which require the continued use of QuickTime.
Reference Material
- Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
https://www.us-cert.gov/ncas/alerts/TA16-105A - QuickTime 7 for Windows is No Longer Supported
https://support.apple.com/en-us/HT201175 - Uninstall QuickTime 7 for Windows
https://support.apple.com/en-us/HT205771
Thank you for your continued attention to information security,
Jon B. Cutler, MS, CISSP
Chief Information Security Officer
Marshall University, Division of Information Technology
Drinko Library 324, 1 John Marshall Drive, Huntington, WV 25755
Phone: 304-696-3270, @joncutler | BeHerd Feedback
http://www.marshall.edu/InfoSec
[This information from 4/26/2016 security advisory e-mail which was bcc’ed to ALL Marshall University Exchange Users]