Apple stops QuickTime for Windows support, video-based Adobe applications in jeopardy; graphics community reacts
Following a "call for action" from TrendMicro, the United States Computer Emergency Readiness Team (US-CERT), which is a part of the Department of Homeland Security, issued Alert TA16105-A which urged the public to uninstall Apple QuickTime for Windows. TrendMicro's recent Zero Day Initiative had uncovered two vulnerabilities which were associated with Apple QuickTime on Windows: ZDI-16-241 and ZDI-16-242 are "remote code vulnerabilities" that may leave users of the application open to security threats and risks from viruses.
The US-CERT alert issued outlines that "… Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows."
TrendMicro's warning was based on reports that Apple has ceased development of the application and, as a result, would no longer provide security updates. It should be noted that the alert only applies to QuickTime on Windows; Mac OSX users are not affected with this problem.
Apple received some criticism for its abrupt withdrawal of support for QuickTime. Barracuda, a company which provides security, networking, and storage products, shares its opinion on Apple's role in this present difficulty.
The Senior Director of Security Product Management for Barracuda, Sanjay Ramnath, points out, "While Apple has every right to discontinue any of its products, it should be done so in a way to limit risk to its users."
Ramnath goes on to say that, with the widespread use of the application, Apple's abrupt withdrawal of support without so much as a warning and worse, without providing a fix for the problems, could pose great risks to users.
In the meantime, Apple's discontinued support for QuickTime and the subsequent advice to uninstall has affected users of Adobe's Premiere Pro and After Effects video-based applications which install QuickTime by default.
Adobe issued a guide to address the issue. Madison Murphy of the Adobe Customer Care Team wrote on the company's blog, "Adobe has worked extensively on removing dependencies on QuickTime in its professional video, audio and digital imaging applications and native decoding of many .mov formats is available today."
But despite this, it seems that some codecs still remain dependent on QuickTime. Subscribers of Adobe Creative Cloud for one would be hard-pressed with the limited timeframe by which to look for alternatives while remaining open to zero-day attacks until they make the switch to some other application than QuickTime.
Murphy adds, "We continue to work hard to improve this situation, but have no estimated time frame for native decode currently."
Those from the graphics community using Creative Cloud have reacted to this statement from Adobe. One subscriber, Chris Dickman, editor of the site Graphics.com, which deals mainly in graphics and designs, blasts Adobe's lack of options for affected users in the face of the QuickTime uninstall alert.
He writes on his site, "Unfortunately? Let me paraphrase that for you: 'We didn't see this coming, your systems are compromised if you keep using our software and we will make no commitment to fixing this' … Windows users are just expected to suck that up. Although all hell would have broken loose if Adobe's Mac-based video community had been put at similar risk."
Dickman also had something to say about Apple.
"It always seemed as if the Windows version [of QuickTime] was designed by Steve Jobs to punish us. Bundled with iTunes for many years, annoying to install and update, unstable, and with crappy performance: It really sucked …"
For some companies, the uninstall may be relatively quick; however, it may take a while for many other organizations who depend largely on QuickTime to make a switch, which would hamper their employee productivity and keep them at a very high risk for the vulnerabilities mentioned.