Ex-NSA Hacker Drops New Zero-Day Doom for Zoom

Zoom's troubled year just got worse. From a report: Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom's popularity has rocketed, but also has led to an increased focus on the company's security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user's Mac, including tapping into the webcam and microphone. Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch. The two bugs, Wardle said, can be launched by a local attacker -- that's where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim's computer, allowing them to install malware or spyware.

Ha Ha good one

[SuperKendall]

The two bugs, Wardle said, can be launched by a local attacker -- that's where someone has physical control of a vulnerable computer.

Pretty amusing to present a bug that can only happen if the attacker is inside the same house everyone else is already stuck in. Seems like you have bigger problems than a Zoom attack if someone is in your house without you knowing.

Re:Ha Ha good one

[Mal-2]

It's relevant if you have to hand your computer over to your IT department to install Zoom though. This was very common in an office I worked at, back when the solution was Citrix. Getting it configured remotely was always a nightmare, I was one of only three people in the office (of 80) who was able to get the software set up at home -- and I needed a cheat sheet from IT. Everyone else just dragged their computer into the office to have it installed and configured, even if it was a desktop. In such a case, a malicious employee could pwn every machine they touch and nobody would ever be the wiser.

Re:

[theshowmecanuck]

If you IT department hacks a company computer, you have bigger problems in the kind of people your company hires. They already have the keys to the kingdom. And if it is your own computer, why are you using it for work? If you are a contractor (like me) and use a personal computer, then don't use it for stuff that forces you to install company software, get them to give you a computer for secure stuff. Fuck them. Company work requires a company computer. And company computers should only be used for company

Re:

[Mal-2]

Only people who were expected to work remotely on a regular basis -- like sales -- got company laptops. Anyone else who wanted to take advantage of work from home policies that allowed us to do it one day a week had to provide their own hardware. In a handful of cases, employees were provided with retired office computers that otherwise would have been scrapped or sold, because they did not own one at all.

Re:

[flink]

Most IT departments already have some provision to take remote control of your PC anyway.

Re:

[gweihir]

Indeed. General consensus among actual computer security experts is that an attacker with physical access has already won.

Yawn...

[sconeu]

If an attacker has physical access, you're hosed anyways.

Re: Yawn...

[guruevi]

It's a local attack, if you can run software on the machine, which many viruses and JavaScript already can, you can use Zoom as a springboard to steal credentials.

Re:

[account_deleted]

Comment removed based on user account deletion

Seems like he didn't give a warning

[geekoid]

If he didn't tell Zoom about this with a chance to patch first, he should be beaten and no longer allowed to use computers.

Because they are showing bad guys how to hurt you

[raymorris]

Releasing information about how to hack people using Zoom puts all Zoom users at risk. (Or would, if this hack was significant). It's not about protecting the company from bad press, that happens anyway if you make the announcement after giving the vendor a chance to make a fix available to users, so that users can be protected.

A complaint about a car being unreliable or whatever doesn't put all of the owners of that car at risk.

Re:

[raymorris]

Please kindly point out how being aware of any of those problems puts Tesla owners at risk. (Other than security problems with the system).

which came first? dynamite or Zippo

[epine]

Releasing information about how to hack people using Zoom puts all Zoom users at risk.

Alternately, one could say that—in a world filled with ignition sources—sitting on dynamite puts the Boom user at risk.

Zippo — founded 1932
Dynamite — patented in 1867
TNT — 1863

But let's all blame George G. Blaisdell for inventing the Zippo lighter in a world already filled with high explosives.

Re:

[geekmux]

Why? In any other product category besides software this does not apply. People regularly complain about flaws in cars without notifying the company first (*cough* tsla).

What's so different about a software company hiring codecamp programmers then suffering the consequences in the marketplace?

Because that "marketplace" you're so dismissive of, is your parents. And grandparents. And innocent kids.

Oh, and that other obvious point that what is left of the working "marketplace" is now highly dependent on this "product category" to do what work we can remotely, to include doctors, hospitals, and patients.

Next time you ask why, try and think about someone other than yourself for once. We have responsible reporting standards for a reason.

Re:

[E-Rock]

Patch what? The hole in MacOS that they used and that malware could use without the Zoom installer?

Re:

[trawg]

The argument raised by a few people I've seen in infosec (e.g., Tavis Ormandy [twitter.com] of Project Zero at Google) is that the problem is in the installer, so responsible disclosure in this case could mean another 30-90 days (whatever the period is) of people installing it /now/, while it is still vulnerable and there are so many people doing so as they switch to working from home/remotely.

Aren't these Mac flaws? and overblown

[Xylantiel]

In addition to requiring physical access to modify either the Zoom installer or Zoom executable, these really seem like holes in the Mac installation and permissions system. The first says that a modified Zoom installer can get root. How is it the application's responsibility to prevent a malicious installer from doing nasty things? If it is possible to create an installer that appears to be signed properly but isn't, or installs something that isn't covered by the signature, then that is the fault of th

Re:

[nategasser]

Heh.

"There's a bug in Zoom, in that, if you download something that's **not actually Zoom** it can take over your computer."

-- Average tech article

Zoom has been waiting patiently just for this

[mykepredko]

Great business case, provide service that would be useful during a crisis and then - clean up on the backend!

Conspiracy theorists must be vibrating over this thought.

All bets are off with physical access

[passionplay]

Mitigating for physical access is like letting someone in your house and telling them not to steal the stuff out of your safe. They can still steal the safe and crack it at their leisure. This is a bad sound byte.