18 Apr Law Firms Running Windows: Remove QuickTime Right Now
Due to Major Security Flaws, Law Firms Running Windows Need to Remove QuickTime Immediately.
Apple recently announced that it is no longer supporting QuickTime in the Windows environment, which means no further patches or security updates are being issued by Apple for security holes found in QuickTime for Windows. While you may think this is no big deal, you’d be wrong: TrendMicro has announced two security flaws in QuickTime that can easily, and unwittingly, result in “drive-by” malware infection of a user’s computer.
While both exploits will require the user to visit an infected webpage or open an infected file, the unfortunate reality is that either outcome can happen fairly easily – and sometimes without the user even knowing about it, particularly where cross-site scripting is involved. While keeping anti-virus software up-to-date is always a good practice, these type of exploits (and likely others to be later found) are not always blocked by anti-virus software. We’ve heard some more advanced endpoint security solutions do block these exploits (notably HP Tipping Point IPS and TrendMicro itself), but many smaller law firms don’t use enterprise-level solutions, and it is certainly not recommended practice to leave the endpoint as the last and only line of defense.
Law firms of any size have a duty to protect the confidentiality and privileged nature of client data and information, and law firms in regulated practice areas have further requirements specific to their practice areas (e.g. CFPB and GLBA for financial services, HIPAA for healthcare). The nightmare scenario would be confidential or privileged data getting publicly exposed through the malware, or the malware resulting in a “crypto-ransom” situation (where your law firm’s critical data gets encrypted and unusable, unless and until you pay a ransom). No law firm wishes to join the ranks of Mossack Fonseca here. There is simply zero reason to run these sorts of risks for a mere video player that really has no place at all on a Windows box.
How Do I Know If I Have QuickTime for Windows Installed?
If you’ve installed Apple’s iTunes on your Windows computer – or if any of your law firm’s staff has it installed on their workstations – there’s a fair chance QuickTime will also have been installed. The iTunes install includes the QuickTime installation by default, and the Apple software auto-update utility still pushes to download QuickTime by default.
iTunes = QuickTime for Windows in Stealth Mode.
To tell if you have QuickTime installed on your Windows box, search for “control panel” (Windows 8, Windows 8.1, or Windows 10) or click on the “home” button in the lower left of your screen and navigate to “control panel” (Windows 7) – then click on either “programs” or “installed programs” (varies by Windows version). After the list of installed programs has loaded, you’ll be able to scroll through and see if QuickTime is listed. And if QuickTime is listed, you should immediately remove it.
How Do I Remove QuickTime for Windows?
To remove QuickTime for Windows, you’ll generally uninstall it just like you would any other Windows program – e.g. by clicking “uninstall” on the QuickTime entry in the “programs” or “installed programs” list (varies by Windows version). For detailed instructions, read Apple’s un-installation instructions here. Keep in mind you may have to restart your computer after you uninstall QuickTime for Windows.
If your law firm uses Windows, we strongly suggest you verify whether or not QuickTime exists in your workstation inventory – and promptly remove it where found. There is no business need for QuickTime in the legal space, and the security risks associated with it at this point are simply enormous. We suspect more than a few law firms will find their staff has installed iTunes to make their work days more pleasant, which in and of itself isn’t really a problem. But, we are advising law firms to be wary – where iTunes exists, so can QuickTime, particularly because the automated Apple Software Update still pushes QuickTime to Windows users.
Quick closing comment, for those attorneys who are now wondering what other IT security risks lurk out there: OneDemand helps law firms develop, implement, and manage IT security policies and procedures – leveraging our experience handling enterprise compliance in the banking industry. If your law firm has questions about QuickTime, or about IT security in general, feel free to give us a shout. As a full-service law firm CTO provider, we have experience identifying and remediating IT security concerns across the legal enterprise.
Scott J. Jackson, Esq.