720-891-1663
Return to the list of client alerts
Now that many more millions of people are using Zoom, researchers have it under a microscope and, always, when that happens, they find stuff.
The good news is that Zoom has, historically been very responsible about pushing out fixes quickly.
In addition, there is a bit of “inside baseball” news about this. Google runs one of the largest good-guy hacking teams in the world and the team is fighting with itself over the way some of these bugs were disclosed. One of the bugs, which was announced by ex-NSA hacker Patrick Wardle, was not disclosed after waiting 90 days. That process, called “responsible disclosure”, gives the developer some amount of time to release a fix before the bad guys get to exploit the bug. Patrick reasoned, given the huge uptick in Zoom usage due to the pandemic, people needed to know about the risks now. Tavis Ormandy, one of the leading Project Zero researchers agreed with Patrick’s decision while Heather Adkins, the director of privacy and security at Google asked whether it had been responsibly disclosed, suggesting that Patrick should not have announced it. Other researchers are chiming in on one side or the other. For the rest of the back and forth, see the article in ITWire.
Okay, so what are Zoom’s troubles?
First there is a bug in the Windows client which allows hackers to steal your Windows passwords (not a good thing, I guess) and also allows a hacker to run programs. Zoom says that they are working on a fix (see details of the attack at Bleeping Computer).
And then there are the two Mac bugs that got Patrick in trouble with Heather, above.
The first attack is a local attack, meaning the hacker has to compromise the system at some level first, to launch this attack – which allows the attacker to install malware or spyware (see details at Yahoo News).
The other bug exploits a bug in the way that Zoom handles the webcam and microphone. Normally, access to the camera and microphone requires user consent, but attack exploits the fact that Zoom already has that consent.
Exploiting this vulnerability allows a hacker to take over the camera and microphone without getting the user’s consent since the malware inherits permissions that Zoom already has. This would allow the malware to record audio and video of the infected computer without the user knowing (see more details at the above link and also at Digital Guardian).
Since Patrick disclosed these bugs without telling Zoom, there is no fix yet, but Zoom says they are working on them.
This comes right after the FBI warned people about Zoom bombing, which is really a problem of bad or no password selection and other poor security choices.
Suffice it to say, the developers at Zoom are busy right now.
As a user there is not much to do but wait and look for sketchy indicators that something might be amiss.