Researcher Found Flaws in Zoom’s Teleconference Platform
The day after security researcher Patrick Wardle disclosed two zero-day vulnerabilities in the macOS client version of Zoom’s teleconferencing platform, the company on Thursday rushed out patches for these flaws and one other.
In a Thursday blog post, Zoom CEO Eric Yuan said the company had issued patches for the zero-day vulnerabilities disclosed Wednesday as well as another flaw that could give remote attackers the ability to steal users’ Windows log-in credentials and execute arbitrary commands. He urged users to immediately apply the patches.
Zoom’s teleconferencing platform has become more widely used in recent weeks as the COVID-19 pandemic has forced millions of employees to work at home, and the company’s privacy and security practices have come under increased scrutiny (see: Zoom Contacts Feature Leaks Email Addresses, Photos).
Yuan acknowledged that the huge influx of new users, including smaller businesses as well as consumers looking to connect with friends and family, has put stress on the platform and led to the detection of security vulnerabilities. The company is now planning a 90-day review to address these issues and is freezing adding new features.
“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process,” Yuan wrote in his blog.
Fixing Zero-Day Flaws
On Wednesday, Wardle, a former National Security Agency hacker who’s now principal security researcher at Jamf, published a blog post disclosing two zero-day vulnerabilities within the Zoom platform for macOS.
One of these flaws stems from a vulnerability in the Zoom installer that works with macOS, according to Wardle. Under the right circumstances, an attacker exploiting the flaw could escalate their privileges within the system and gain full root access to a device’s underlying operating system, making it easier to install malware or other malicious code, the researcher notes.
The other flaw is a vulnerability in how Zoom interacts with a Mac’s camera and microphone. By exploiting this vulnerability, an attacker could inject malicious code into the Zoom platform that would allow an attacker to gain the same access to the microphone and camera as the user. This could open the door to eavesdropping on conversations and meetings, according to the blog post.
To exploit both flaws, Wardle notes, an attacker would need physical access to a victim’s Mac.
Disclosure Timing Questioned
After Wardle published his findings Wednesday, some other security experts questioned the timing of the disclosures, claiming that Wardle did not give Zoom enough time to respond. For instance, Heather Adkins, Google’s director of security and privacy, questioned the timing of the disclosures, and former Facebook CISO and Stanford researcher Alex Stamos also raised concerns via Twitter.
Yes. Just because they are in the news doesn’t make dropping 0-day in Techcrunch appropriate.
— Alex Stamos (@alexstamos) April 1, 2020
In addition to Wardle’s disclosure, other researchers published reports this week concerning a different flaw – this one in the Windows client for Zoom – that takes advantage of a vulnerability in the platform’s Universal Naming Convention path.
Within its chat messaging feature, Zoom converts Universal Naming Convention paths into clickable links, according to researchers. The vulnerability could allow an attacker to intercept passwords and usernames from the Windows version of the platform. Zoom issued a patch on Thursday to fix this flaw.
In recent days, Zoom has faced intense scrutiny over the platform’s security and privacy. On Wednesday, researchers revealed that a Zoom feature that’s designed to help individuals within an organization quickly connect to others through the desktop app can expose email addresses, full names and profile photos to other users who should not have access, according to Motherboard.
Zoom also issued an apology this week for sharing large sets of user data by default with Facebook, blaming the social network’s software development kit, which it has removed from its iOS app. Exposed users’ data included IP addresses and device model. Zoom has now stopped that data sharing practice and updated its privacy guidelines (see: Zoom Stops Transferring Data by Default to Facebook).
On Monday, the New York Times reported that New York Attorney General Letitia James sent a letter to Zoom asking about the company’s privacy and security practices. The letter also sought information about vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams,” according to the report.
Meanwhile, the FBI issued a warning about “Zoom Bombing,” where third parties were entering Zoom meetings and causing disruptions.