Critical Zoom Vulnerability Triggers Remote Code Execution Without User Input

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers. The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit. As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted. Computest researchers Daan Keuper and Thijs Alkemade earned themselves $200,000 for this Zoom discovery, as it was part of the Pwn2Own contest.

In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected. "The attack must also originate from an accepted external contact or be a part of the target's same organizational account," Zoom added. "As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust."

Jitsi Meet ; re-inventing the wheel

[DrYak]

Meanwhile, Jitsi's "Meet" is a similar web-based chat, but at least that one is opensource, including the server, thus:
- it's possible to run your own private instance.
- it's possible to have 3rd parties review the code for such problems.

Also fed-up with those companies needing to re-invent the wheel. Badly.
Most of the companies offering chat proprietary solutions (Slack, Zoom, Microsoft Teams, etc.) aren't offering much new things beyond what IRC and SIP/H323 have been offering for ages, except maybe a less ugly web-based interface, but that's about it.

Re: Jitsi Meet ; re-inventing the wheel

[dknj]

Jitsi is not entirely open source. There is a binary blob that is closed source that must be fetched as part of the install.

Re: Jitsi Meet ; re-inventing the wheel

[dskoll]

Really? Which part of Jitsi is this binary blob?

Re:

[i.r.id10t]

Enterprise type stuff like integrating with your existing authentication/identity system, managing rights, etc.

Re:

[bill_mcgonigle]

> but that's about it.

e2e crypto.

OTR

[DrYak]

e2e crypto.

You might be missing what protocols like OTR did on older chat networks.

Also, most on the new contenders (Zoom, Slack) actually suck in the end-to-end encryption department (it's only marketing fluff with Zoom, and it's crickets with Slack).

You have to look to matrix derivatives (like riot/elements) to see a modern IRC-like with encryption done right. (and again, that one is opensource, and you can self-host your own server).

Re:

[angel'o'sphere]

I did not know you can make a vide conference with IRC.
Not to mind with 10k people same time.

Astonishing how not up to date so called old school geeks are. Hand back your geek card.

(And: zoom is an application, not a web site, hence the remote code execution problem, actually a no brainer. Did you ever have a geek card?)

Not new

[DrYak]

I did not know you can make a vide conference with IRC.

Just a few word further in my top post:
what IRC and SIP/H323

H323 and SIP are video call open standard which have been available for ages (venerable Netmeeting in Windows was already using it) and are still used nowadays (e.g.: most hardware in conference rooms still relies on SIP as does your company's VoIP network).
In fact even the modern "business-y" video call systems like Zoom, need to also implement SIP protocol anyway just to interoperate with the hardware.

Not to mind with 10k people same time.

Back when H323 was introduced, phone confere

Re:

[angel'o'sphere]

And you fail to grasp: SIP and H323 have nothing to do with IRC.

And Zoom et al. has nothing to do with SIP or H323 either.

So no idea what your rant is about.

The WebApp jab was aimed at Slack, Team, and all those "webapp whose desktop version is basically the webapp bundled in a Chrome-based browser, and a couple of extra plugins slapped in".
Ah, did not get that. My fault. But bottom line nothing wrong with it.

Security through obscurity!

[Merk42]

As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted.

No one knows the Linux version even exists!

Re:

[ArchieBunker]

It exists and sucks battery power like nothing else.

Containers: Re:Security through obscurity!

[GM]

For that security point of view, I know at least four ways to get a desktop version of Zoom for classical Linux distribution:
- zoom for zoom website (deb, rpm, tar ... ): if the vulnerability is present in MacOS, I would suspect it is present in Linux.
- zoom-client in snap container (Ubuntu default, I guess, thus I believe the most common): does the snap install vulnerable ?
- us.zoom.Zoom in flatpak container (Redhat): does the flatpak install vulnerable ?
- zoom in AppImage: I hope people run zoom with fire

Principle of least privilege -- lost

[Anonymous Coward]

Why does teleconferencing software have enough privileges to open and execute files?

The principle of least privilege has been known for decades in CS. It's embarrassing that enterprise companies and governments can buy software not following basic principles of software security. And that our OSes and tools still default to insecure settings (e.g. no bounds checking) and full privileges.