Security, et al

Hi folks.  If you are wondering how many computers on your network have QuickTime installed and how to get rid of it, I’ve got some help for you in the form of a video, PowerShell script, AppLocker policy and free tools from SolarWinds.  If you don’t already know why it’s urgent to uninstall QuickTime, be aware that Apple has announced it’s no longer supporting QuickTime for Windows even though TrendMicro has announced 2 zero-day heap corruption vulnerabilities that allow remote code execution.  According to my understanding of this, Apple never provided any warning that they’d stop patching their software.  That’s really lame.  You have to say this for Microsoft, they give you warning.  So every Windows endpoint with QuickTime installed is a sitting duck.  Even the Department of Homeland Security is warning folks to kill QuickTime before the bad guys exploit it against you and your network.

Barry and I have put together 2 videos:

1.  How to spend about 15 minutes with a trial download of SolarWinds Patch Manager to

a.  Quickly inventory all the endpoints with QuickTime installed

i.  We got the folks at SolarWinds to post a report on Thwack that reports all computers with QuickTime installed.

b.  Remotely un-install QuickTime from those PCs

c.  Without installing any agents!

2.  Or you can use AppLocker to block QuickTime from executing on PCs where it is installed

I recommend using the SolarWinds Patch Manager option because it’s fast, easy and free and it eliminates the risk by uninstalling QuickTime.  My alternative AppLocker procedure only blocks QuickTime; it doesn’t install it and it doesn’t address malware that knows how to bypass the Application Identity service.

If you are going to the 30-day trial of SolarWinds Patch Manager to remove QuickTime please use this URL to download it because that helps us keep the lights on here at UltimateWindowsSecurity.  And don’t worry, the good folks at SolarWinds are good with you using the eval to solve this problem.  You might want to keep Patch Manager once you see it.  After explaining how to use it to get rid of QuickTime I’ll explain why I like Patch Manager.

Download PatchManager and install it.  Watch Barry’s video to help you save time.  It only takes Barry 11 minutes to install Patch Manager, find all the PCs with QuickTime and uninstall it.  Follow along with Barry and you’ll be done in time to take the rest of the morning off. 

If you are interested in my alternative (and less secure) AppLocker method, watch this video.

Download Randy's Powershell Script here: http://tinyurl.com/ze2okye

Both methods work without agents!  But only Patch Manager actually eliminates the risk.  And the no agent thing is what I love about Patch Manager.  It provides software inventory and 3^rd party patching (Adobe, Java, Apple, etc) without requiring you to install yet another agent.  How does it do it?  It’s pretty cool. Patch Manager uses WMI for querying PCs but then it leverages the already existing Windows Update agent baked into every Windows computer to push 3^rd party patches and of course Microsoft patches too.  It does this through a really cool integration with WSUS. 

So you get the best of both worlds.  Leverage the built-in infrastructure Windows already provides for patching Microsoft products to patch 3^rd party products too!  Brilliant.  Again, if you want to use Patch Manager for getting rid of QuickTime for free or just want to try it out, please use this URL.  It helps fund our research and real training for free we provide nearly each week.

Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies.  I've just learned about it and will be covering it in greater detail in tomorrow's webinar.

It's a backdoor created by Microsoft for when you load a DLL.  Just specify the LOAD_IGNORE_CODE_AUTHZ_LEVEL and AppLocker ignores the DLL.  Furthermore there's a similar flag, SANDBOX_INERT, on the CreateRestrictedToken api that allows you to apparently start a new process with AppLocker disabled as well.

Again, I'll have more on this in tomorrow's webinar.