The global and independent platform for the SAP community.

QuickTime for Windows vulnerable: What's it to companies?

Two security vulnerabilities in Apple's QuickTime for Windows were published in mid-April. They were discovered already at the end of 2015, but because they were not announced, Apple had time to react. What was called "announce" here has consequences...
Raimund Genes, Trend Micro
May 4, 2016
Security
avatar
This text has been automatically translated from German to English.

Apple's official recommendation was to simply uninstall QuickTime. Thanks to HTML 5 and video support directly in web browsers, this does not really affect the "normal user".

This would make this story a classic consumer topic. However, there is another facet to QuickTime: ProRes.

This is a video codec developed by Apple for the professional film and video sector. Many Hollywood blockbusters are shot on cameras that use native ProRes as the "movie format".

While the ProRes codecs are supplied under Mac OS X, the only legal way under Windows was to install QuickTime. This is especially true for editing programs, color correction, 3D and visual effects.

With the discontinuation of QuickTime, entire production workflows are suddenly "up in the air". A situation that is widespread in professional environments and IT operations.

Discontinuation or end of support for software is a problem that industrial control systems have to deal with on an almost daily basis. For some industrial components with a planned service life of 20 years or more, for example, it should come as no surprise that Windows XP is still frequently used.

Sometimes you can even still find MS-DOS!

The option of a quick update is not available here. On the one hand, because the functionality of the system can no longer be guaranteed. On the other hand, for quite banal reasons such as hardware dependencies.

It doesn't even have to be the complete end of support for software. Even the timely installation of critical patches is problematic. Many business-critical systems in particular have defined maintenance windows.

Even if the patch is available and can be applied, it can take up to half a year (or longer!) until the next maintenance window. During this time, the systems are "up in the air" and are vulnerable.

Professional IT operations involve more than just patch management. If you only operate systems that can be patched at any time and without side effects, it is very easy - but experience has shown that such environments do not exist outside of presentation slides.

So you also have to think about protecting systems that cannot be patched promptly or at all.

In the case of systems that are not connected to the network, you may still be able to get away with the argument in a risk analysis that unpatched vulnerabilities cannot be exploited. Nowadays, however, almost all business-critical systems are networked!

Another option is virtual patching (virtual shielding), as found in Trend Micro's Deep Security, for example. This involves shielding the vulnerabilities without interfering with the actual system so that they can no longer be exploited via the network, for example.

The system itself is not patched and may therefore be vulnerable - but the vulnerability cannot be exploited.

This should not be understood as a "free pass" to never patch systems again. However, such technologies do allow systems to be protected until the maintenance window.

This is different for systems for which the manufacturer no longer provides patches. Such technologies are often the only way to operate systems securely at all. Professional IT operations must look to the future.

Regardless of whether we are talking about business-critical systems, industrial plants or "just" workflows in the media sector. It is not enough to think about how systems can be operated securely today.

Future operation, possibly without manufacturer support, also needs to be considered. The necessary technologies are available and have proven themselves. Embedded in regular IT operations, they enable secure operation:

2016 XVIOwhether today, when the patches are available and can be applied quickly, or tomorrow, when the maintenance windows are further apart or perhaps no patches are available at all.

avatar
Raimund Genes, Trend Micro

Raimund Genes was CTO at Trend Micro.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.