So you were an Apple fan a long time ago? You own a Mac today but still have that older PC? Or perhaps you rolled QuickTime into your builds a long time ago and they are still in there today? It’s time to remove QuickTime, today. Several years ago QuickTime was one of the primary third party tools that I would use in testing drive-by exploitation frameworks. Since iTunes 10.5 in the fall of 2011 it’s no longer been a requirement as it was previously. To make matters worse, two new critical vulnerabilities have increased risk for this now retired product.
4D5A Security recommends regularly audits to ensure that you’re only including exactly what you need for software within your golden images. More importantly, if you’re an organization with legacy dependencies, especially for hardware and software that is no longer officially supported, it’s time to move beyond such accepted risk into a well managed security program. At some point, with the types of threats and risk landscape we have today, it’s foolishness to think in any other way from a risk acceptance and total cost of ownership standpoint.