QuickTime for Windows vulnerable: What's it to companies?
Apple's official recommendation was to simply uninstall QuickTime. Thanks to HTML 5 and video support directly in web browsers, this does not really affect the "normal user".
This would make this story a classic consumer topic. However, there is another facet to QuickTime: ProRes.
This is a video codec developed by Apple for the professional film and video sector. Many Hollywood blockbusters are shot on cameras that use native ProRes as the "movie format".
While the ProRes codecs are supplied under Mac OS X, the only legal way under Windows was to install QuickTime. This is especially true for editing programs, color correction, 3D and visual effects.
With the discontinuation of QuickTime, entire production workflows are suddenly "up in the air". A situation that is widespread in professional environments and IT operations.
Discontinuation or end of support for software is a problem that industrial control systems have to deal with on an almost daily basis. For some industrial components with a planned service life of 20 years or more, for example, it should come as no surprise that Windows XP is still frequently used.
Sometimes you can even still find MS-DOS!
The option of a quick update is not available here. On the one hand, because the functionality of the system can no longer be guaranteed. On the other hand, for quite banal reasons such as hardware dependencies.
It doesn't even have to be the complete end of support for software. Even the timely installation of critical patches is problematic. Many business-critical systems in particular have defined maintenance windows.
Even if the patch is available and can be applied, it can take up to half a year (or longer!) until the next maintenance window. During this time, the systems are "up in the air" and are vulnerable.
Professional IT operations involve more than just patch management. If you only operate systems that can be patched at any time and without side effects, it is very easy - but experience has shown that such environments do not exist outside of presentation slides.
So you also have to think about protecting systems that cannot be patched promptly or at all.
In the case of systems that are not connected to the network, you may still be able to get away with the argument in a risk analysis that unpatched vulnerabilities cannot be exploited. Nowadays, however, almost all business-critical systems are networked!
Another option is virtual patching (virtual shielding), as found in Trend Micro's Deep Security, for example. This involves shielding the vulnerabilities without interfering with the actual system so that they can no longer be exploited via the network, for example.
The system itself is not patched and may therefore be vulnerable - but the vulnerability cannot be exploited.
This should not be understood as a "free pass" to never patch systems again. However, such technologies do allow systems to be protected until the maintenance window.
This is different for systems for which the manufacturer no longer provides patches. Such technologies are often the only way to operate systems securely at all. Professional IT operations must look to the future.
Regardless of whether we are talking about business-critical systems, industrial plants or "just" workflows in the media sector. It is not enough to think about how systems can be operated securely today.
Future operation, possibly without manufacturer support, also needs to be considered. The necessary technologies are available and have proven themselves. Embedded in regular IT operations, they enable secure operation:
2016 XVIOwhether today, when the patches are available and can be applied quickly, or tomorrow, when the maintenance windows are further apart or perhaps no patches are available at all.
