Security, et al

Randy's Blog on Infosec and Other Stuff

Get rid of QuickTime as Quickly and Efficiently – For FREE!

Mon, 25 Apr 2016 12:53:01 GMT

Hi folks.  If you are wondering how many computers on your network have QuickTime installed and how to get rid of it, I’ve got some help for you in the form of a video, PowerShell script, AppLocker policy and free tools from SolarWinds.  If you don’t already know why it’s urgent to uninstall QuickTime, be aware that Apple has announced it’s no longer supporting QuickTime for Windows even though TrendMicro has announced 2 zero-day heap corruption vulnerabilities that allow remote code execution.  According to my understanding of this, Apple never provided any warning that they’d stop patching their software.  That’s really lame.  You have to say this for Microsoft, they give you warning.  So every Windows endpoint with QuickTime installed is a sitting duck.  Even the Department of Homeland Security is warning folks to kill QuickTime before the bad guys exploit it against you and your network.

Barry and I have put together 2 videos:

1.  How to spend about 15 minutes with a trial download of SolarWinds Patch Manager to

a.  Quickly inventory all the endpoints with QuickTime installed

i.  We got the folks at SolarWinds to post a report on Thwack that reports all computers with QuickTime installed.

b.  Remotely un-install QuickTime from those PCs

c.  Without installing any agents!

2.  Or you can use AppLocker to block QuickTime from executing on PCs where it is installed

I recommend using the SolarWinds Patch Manager option because it’s fast, easy and free and it eliminates the risk by uninstalling QuickTime.  My alternative AppLocker procedure only blocks QuickTime; it doesn’t install it and it doesn’t address malware that knows how to bypass the Application Identity service.

If you are going to the 30-day trial of SolarWinds Patch Manager to remove QuickTime please use this URL to download it because that helps us keep the lights on here at UltimateWindowsSecurity.  And don’t worry, the good folks at SolarWinds are good with you using the eval to solve this problem.  You might want to keep Patch Manager once you see it.  After explaining how to use it to get rid of QuickTime I’ll explain why I like Patch Manager.

Download PatchManager and install it.  Watch Barry’s video to help you save time.  It only takes Barry 11 minutes to install Patch Manager, find all the PCs with QuickTime and uninstall it.  Follow along with Barry and you’ll be done in time to take the rest of the morning off. 

If you are interested in my alternative (and less secure) AppLocker method, watch this video.

Download Randy's Powershell Script here: http://tinyurl.com/ze2okye

Both methods work without agents!  But only Patch Manager actually eliminates the risk.  And the no agent thing is what I love about Patch Manager.  It provides software inventory and 3rd party patching (Adobe, Java, Apple, etc) without requiring you to install yet another agent.  How does it do it?  It’s pretty cool. Patch Manager uses WMI for querying PCs but then it leverages the already existing Windows Update agent baked into every Windows computer to push 3rd party patches and of course Microsoft patches too.  It does this through a really cool integration with WSUS. 

So you get the best of both worlds.  Leverage the built-in infrastructure Windows already provides for patching Microsoft products to patch 3rd party products too!  Brilliant.  Again, if you want to use Patch Manager for getting rid of QuickTime for free or just want to try it out, please use this URL.  It helps fund our research and real training for free we provide nearly each week.

email this digg reddit dzone
comments (0)references (0)

Related:
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
5 Indicators of Endpoint Evil
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Live with Dell at RSA 2015

Certificates and Digitally Signed Applications: A Double Edged Sword

Mon, 11 Apr 2016 11:28:31 GMT

Windows supports the digitally signing of EXEs and other application files so that you can verify the provenance of software before it executes on your system. This is an important element in the defense against malware. When a software publisher like Adobe signs their application they use the private key associated with a certificate they’ve obtained from one of the major certification authorities like Verisign.

Later when you attempt to run a program Windows can check the file’s signature and verify that it was signed by Adobe and that its bits haven’t been tampered with such as by the insertion of malicious code.

Windows doesn’t enforce digital signatures or limit which publisher’s programs can execute by default but you can enable with AppLocker. As powerful as AppLocker potentially is, it is also complicated to set up except for environments with a very limited and standardized set of applications. You must create rules for at least every publisher whose code runs on your system.

The good news however is that AppLocker can also be activated in audit mode. And you can quickly set up a base set of allow rules by having AppLocker scan a sample system. The idea with running AppLocker in audit mode is that you then monitor the AppLocker event log for warnings about programs that failed to match any of the allow rules. This means the program has an invalid signature, was signed by a publisher you don’t trust or isn’t signed at all. The events you look for are 8003, 8006, 8021 and 8024 and these events are in the logs under AppLocker as shown here:

These events are described here https://technet.microsoft.com/en-us/library/ee844150(v=ws.10).aspx which is part of the AppLocker Technical Reference.

If you are going to use AppLocker in audit mode for detecting untrusted software remember that Windows logs these events on teach local system. So be sure you are using a SIEM with an efficient agent like EventTracker to collect these events or use Windows Event Forwarding.

There are some other issues to be aware of though with digitally signed applications and certificates. Certificates are part of a very complicated technology called Public Key Infrastructure (PKI). PKI has so many components and ties together so many different parties there is unfortunately a lot of room for error. Here’s a brief list of what has gone wrong in the past year or so with signed applications and the PKI that signatures depend on:

  1. Compromised code-signing server

    I’d said earlier that code signing allows you to make sure a program really came from the publisher and that it hasn’t been modified (tampered). But depends on how well publisher protects their private key. And unfortunately Adobe is a case in point. A while back some bad guys broke into Adobe’s network and eventually found their way to the very server Adobe uses to sign applications like Acrobat. They uploaded their own malware and signed it with Adobe’s code signing certificate’s private key and then proceeded to deploy that malware to target systems that graciously ran the program as a trusted Adobe application. How do you protect against publishers that get hacked? There’s only so much you can do. You can create stricter rules that limit execution to specific versions of known applications but of course that makes your policy much more fragile.

  2. Fraudulently obtained certificates

    Everything in PKI depends on the Certification Authority only issuing certificates after rigorously verifying the party purchasing the certificate is really who they way the are. This doesn’t always work. A pretty recent example is Spymel a piece of malware signed by a certificate DigiCert issued to a company called SBO Invest. What can you do here? Well, using something like AppLocker to limit software to known publishers does help in this case. Of course if the CA itself is hacked then you can’t trust any certificate issued by it. And that brings us to the next point.

  3. Untrustworthy CAs

    I’ve always been amazed at all the CA Windows trusts out of the box. It’s better than it used to be but at one time I remember that my Windows 2000 system automatically trusted certificates issued by some government agency of Peru. But you don’t have trust every CA Microsoft does. Trusted CAs are defined in the Trusted Root CAs store in the Certificates MMC snap-in and you can control the contents of this store centrally via group policy

  4. Insecure CAs from PC Vendors

    Late last year Dell made the headlines when it was discovered that they were shipping PCs with their own CA’s certificate in the Trusted Root store. This was so that drivers and other files signed by Dell would be trusted. That might have been OK but they mistakenly broke The Number One Rule in PKI. They failed to keep the private key private. That’s bad with any certificate let alone a CA’s root certificate. Specifically, Dell included the private key with the certificate. That allowed anyone that bought an affected Dell PC to sign their own custom malware with Dell’s private key and then once deployed on other affected Dell systems to run it with impunity since it appeared to be legit and from Dell.

So, certificates and code signing is far from perfect show me any security control that is. I really encourage you to try out AppLocker in audit mode and monitor the warnings it produces.  You won’t break any user experience, the performance impact hardly measurable and if you are monitoring those warnings you might just detect some malware the first time it executes instead of the 6 months or so that it takes on average.

This article by Randy Smith was originally published by EventTracker

http://www.eventtracker.com/newsletters/certificates-and-digitally-signed-applications-a-double-edged-sword/

email this digg reddit dzone
comments (0)references (0)

Related:
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
5 Indicators of Endpoint Evil
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond

previous | next

powered by Bloget™

Search


Categories
Recent Blogs
Archive