Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Ex-NSA Hacker Drops New Zero-Day Doom for Zoom (techcrunch.com) 22

Zoom's troubled year just got worse. From a report: Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom's popularity has rocketed, but also has led to an increased focus on the company's security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user's Mac, including tapping into the webcam and microphone. Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch. The two bugs, Wardle said, can be launched by a local attacker -- that's where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim's computer, allowing them to install malware or spyware.
This discussion has been archived. No new comments can be posted.

Ex-NSA Hacker Drops New Zero-Day Doom for Zoom

Comments Filter:
  • The two bugs, Wardle said, can be launched by a local attacker -- that's where someone has physical control of a vulnerable computer.

    Pretty amusing to present a bug that can only happen if the attacker is inside the same house everyone else is already stuck in. Seems like you have bigger problems than a Zoom attack if someone is in your house without you knowing.

    • by Mal-2 ( 675116 ) on Wednesday April 01, 2020 @12:21PM (#59897594) Homepage Journal

      It's relevant if you have to hand your computer over to your IT department to install Zoom though. This was very common in an office I worked at, back when the solution was Citrix. Getting it configured remotely was always a nightmare, I was one of only three people in the office (of 80) who was able to get the software set up at home -- and I needed a cheat sheet from IT. Everyone else just dragged their computer into the office to have it installed and configured, even if it was a desktop. In such a case, a malicious employee could pwn every machine they touch and nobody would ever be the wiser.

      • If you IT department hacks a company computer, you have bigger problems in the kind of people your company hires. They already have the keys to the kingdom. And if it is your own computer, why are you using it for work? If you are a contractor (like me) and use a personal computer, then don't use it for stuff that forces you to install company software, get them to give you a computer for secure stuff. Fuck them. Company work requires a company computer. And company computers should only be used for company
        • by Mal-2 ( 675116 )

          Only people who were expected to work remotely on a regular basis -- like sales -- got company laptops. Anyone else who wanted to take advantage of work from home policies that allowed us to do it one day a week had to provide their own hardware. In a handful of cases, employees were provided with retired office computers that otherwise would have been scrapped or sold, because they did not own one at all.

      • by flink ( 18449 )

        Most IT departments already have some provision to take remote control of your PC anyway.

    • by gweihir ( 88907 )

      Indeed. General consensus among actual computer security experts is that an attacker with physical access has already won.

  • If an attacker has physical access, you're hosed anyways.

  • If he didn't tell Zoom about this with a chance to patch first, he should be beaten and no longer allowed to use computers.

    • by E-Rock ( 84950 )

      Patch what? The hole in MacOS that they used and that malware could use without the Zoom installer?

    • by trawg ( 308495 )

      The argument raised by a few people I've seen in infosec (e.g., Tavis Ormandy [twitter.com] of Project Zero at Google) is that the problem is in the installer, so responsible disclosure in this case could mean another 30-90 days (whatever the period is) of people installing it /now/, while it is still vulnerable and there are so many people doing so as they switch to working from home/remotely.

  • In addition to requiring physical access to modify either the Zoom installer or Zoom executable, these really seem like holes in the Mac installation and permissions system. The first says that a modified Zoom installer can get root. How is it the application's responsibility to prevent a malicious installer from doing nasty things? If it is possible to create an installer that appears to be signed properly but isn't, or installs something that isn't covered by the signature, then that is the fault of th

    • Heh.

      "There's a bug in Zoom, in that, if you download something that's **not actually Zoom** it can take over your computer."

      -- Average tech article

  • Great business case, provide service that would be useful during a crisis and then - clean up on the backend!

    Conspiracy theorists must be vibrating over this thought.

  • Mitigating for physical access is like letting someone in your house and telling them not to steal the stuff out of your safe. They can still steal the safe and crack it at their leisure. This is a bad sound byte.

To thine own self be true. (If not that, at least make some money.)

Working...