Mitigating QuickTime for Windows via GPO

  • 483 Views
  • Last Post 22 April 2016
eccoleman posted this 19 April 2016

Our Security team is dead-set on obliterating all QuickTime for Windows installations and is looking to us AD guys for some help.  They were hoping we would have some sort of magic uninstaller we could “make execute” on all computers via GPO, but that sounds too convoluted and failure-prone.  I pointed out perhaps using a Software Execution Policy to block QuickTime for executing altogether.  Can anyone think of any other creative ways to block/disable QuickTime? Modifying the file associations perhaps?  They plan to garner some help from the SCCM guys as well.     Thanks!

 

Erik Coleman Senior Manager, Enterprise Systems Technology Services at Illinois University of Illinois at Urbana-Champaign    

Order By: Standard | Newest | Votes
SmitaCarneiro posted this 19 April 2016

I’d go with pushing out an uninstall Quicktime package via SCCM.

Its’s pretty easy, given that Quicktime uses an msi for installation. And it can be set to run immediately or at a set time. I used to set these for after hours when I worked with SCCM.

 

Smita

 

 

 

show

gkirkpatrick posted this 19 April 2016

Would a Software Restriction Policy work for you? It would block execution, but not uninstall anything…

 

-g

 

show

kennedyjim posted this 19 April 2016

You are right that any GPO solution to uninstall is prone to error, and more importantly you won’t know which have errored so you can intervene.

 

Might be time for a software management system for this and future issues.  I swear by PDQDeploy.  500 per year for the software management, and an extra 500 for the software inventory management part that you

really need. The software inventory part will let you know where it is still installed   So for a grand a year you are all set.    http://www.adminarsenal.com/pdq-deploy/

 

Or yea, an SRP to restrict it would certainly work.

 

show

kennedyjim posted this 19 April 2016

Left out that PDQ has uninstallers built in for most everything…or you can easily roll your own.  I did maybe 10 clicks when this Quicktime happened and 15 minutes later it was gone except for a few that failed..I

opened work orders for the desktop guys on those and moved on.

 

show

g4ugm posted this 19 April 2016

Well I am not surprised it has known, disclosed, unpatched vulnerabilities. Apple have said they will no longer provide security updayes. Un-install is OK but do you have measures in place to prevent it being re-installed. How did it get there in the first place, so is it in a consistent place?If its been installed by the users, total eradication might be challenging. Do they still have admin rights?Execution Policy to prevent the installer re-installing?Audit Script to see if it exists any where? Dave Wade 

show

johnglenn posted this 19 April 2016

If you have SCCM in your environment, you should use it to uninstall QuickTime. Using AD over SCCM for software management is like using pliers to turn a screw: it may technically work, but you'll have to work much harder for a poorer outcome.

John

show

jheaton posted this 19 April 2016

You know, I hear that a lot the last couple of days “Apple says they no longer support” or “Apple confirms blah, blah”

 

Does anyone out there actually have a link that shows Apple actually saying these things?  The closest I’ve found is a Wall Street Journal article that says “Apple confirmed to The Wall Street Journal that it

is no longer supporting or updating the 11-year-old Quicktime 7 for Windows”

 

But I didn’t see anything from anyone actually working for Apple.

 

show

jheaton posted this 19 April 2016

I love that analogy.  I think I’m gonna steal it

J

 

 

 

show

rwf4 posted this 19 April 2016

Hi Joe-



 

I took this one a “good enough”

 

https://www.us-cert.gov/ncas/alerts/TA16-105A

 

--bob

 

 

 

show

rwf4 posted this 19 April 2016

Also see

http://zerodayinitiative.com/advisories/ZDI-16-241/

 





Vendor Response



Apple states:




This vulnerability is being disclosed publicly without a patch because vendor indicates that the product is deprecated.



11/11/2015 - ZDI reported 2 vulnerabilities to the vendor


11/11/2015 - The vendor acknowledged receipt of both reports


02/29/2016 - ZDI wrote to the vendor requesting a status update


03/08/2016 - The vendor replied, inviting ZDI to a call


03/09/2016 - ZDI joined a call with the vendor: 


ZDI was advised that the product would be deprecated on Windows and the vendor would publish removal instructions for users.


ZDI advised the vendor that the cases would be 0-day. 


03/24/2016 - ZDI notified the vendor of the intent to 0-day on or after 4/13


04/01/2016 - The vendor acknowledged and provided a link to their removal instructions



Vendor Response:



https://support.apple.com/HT205771









Disclosure Timeline



2015-11-11 - Vulnerability reported to vendor


2016-04-14 - Coordinated public release of advisory

 

 

 

 

show

robertsingers posted this 19 April 2016

Joseph, somewhere on Apple's marketing related web site is a list of the support status of products including software.  I don't care to find it for you because I no longer have any Apple products in my life and feel much happier for it.


show

g4ugm posted this 19 April 2016

Well Apple say its unsupported on OS’s later than Windows/7….. https://support.apple.com/kb/DL837?viewlocale=enUS&locale=enUS it also says it won’t comment on declared vulnerabilities until they are investigating and patched. If its not patching them then it won’t comment on them…... Trend Micro have now published two currently un-exploited vulnerabilities   e.g. http://zerodayinitiative.com/advisories/ZDI-16-241/ … to which Apples response was apparently “Un-install”. If they intend to provide patches I would have thought, we would have some response from Apple. http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/ is I think the base article… DaveG4UGM   

show

kennedyjim posted this 20 April 2016












I find Apple not saying anything to be far more damning than anything Trend can say.  It is inexcusable for them to not address this issue at all. This is not a surprise to them, it isn't like they didn't have five months to prepare a response. Three months

from notification to disclosure is the norm. And it makes no sense, Apple has been one of the more reactive companies on security, they are usually very on the ball.




And for them to not say anything, and leave the software on their website for uneducated home people to install is something I can't even begin to understand.










show

jheaton posted this 20 April 2016

But even there:

 

“According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation”

 

How exactly does Trend Micro know what Apple will or won’t be doing?

 

 

show

jheaton posted this 20 April 2016

That one is a bit more of what I would expect to see.

 

 

Don’t get me wrong, guys, I’m right there with you, wanting to get rid of the product.  Just find it odd, and disappointing, that Apple hasn’t put out anything themselves.

 

show

kennedyjim posted this 20 April 2016

For the record.  ZDI=Trend.  ZDI is Trend’s public arm for reporting vulns the discover.

 

show

jheaton posted this 20 April 2016

At least it shows something along the lines of “We actually spoke with Apple” vs just saying that Apple was stopping support.

 

show

fuscob posted this 20 April 2016

I found this curious as well and so I reached out to our Apple rep. I got back “Let me see what I can find.  I have not seen anything official either.” I’ll post back here if I hear anything else.

 

Brendan A. Fusco

Infrastructure Operations Architect

DePaul University, Information Services

 

show

jeremyts posted this 20 April 2016

Here’s an uninstall script that was posted today that someone may find of value:



http://mickitblog.blogspot.com.au/2016/04/apple-quicktime-uninstaller.html

 

Cheers,

Jeremy

 

show

fuscob posted this 21 April 2016

Our Apple rep just got back to me. They’ve posted an official statement:

https://support.apple.com/en-us/HT201175



 

Brendan A. Fusco

Infrastructure Operations Architect

DePaul University, Information Services

 

show

Show More Posts
Close