Tippingpoint's Zero Day Initiative made two vulnerabilities for Quicktime in Windows public yesterday [1][2]. The two vulnerabilities do allow remote code execution, but there is a bit of user interaction required in that the user has to visit a web page with a malicious file to get exposed to the exploit. The CVSS score for both vulnerabilities is 6.8.

Usually, I would point to a patch at this point. But Apple responded to TippingPoint stating that Quicktime For Windows is no longer a supported product, and no updates will be released to fix these two vulnerabilities.

Apple published a page with details about how to uninstall Quicktime [3]. But I can't find any other official announcement from Apple about the state of Quicktime, other then the TippingPoint vulnerability release. As part of the uninstall instructions, Apple recommends searching for "Uninstall QuickTime." Please make sure to only search locally, do not use a Bing/Google/... search as it may lead to suspect software. A quick check I just did doesn't show anything terribly suspect; there are at least a couple spammy links in Bing.

[1] http://zerodayinitiative.com/advisories/ZDI-16-241/
[2] http://zerodayinitiative.com/advisories/ZDI-16-242/
[3]https://support.apple.com/HT205771

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn