[BreachExchange] Taking a Closer Look at Zoom

Destry Winant destry at riskbasedsecurity.com
Mon Apr 27 10:17:04 EDT 2020


https://www.riskbasedsecurity.com/2020/04/27/taking-a-closer-look-at-zoom/

When there is any crisis or major security event, you can count on a
lot of news attention as well as security companies and researchers
writing blogs – all providing their hot takes. There is a fine balance
between adding actual relevant information and insight versus
ambulance chasing and regurgitation. Given the current COVID
situation, we have done our best to tread carefully.

Providing value and a central source of reporting has always been in
our DNA at Risk Based Security. When new events happen that are in our
wheelhouse, particularly involving data breaches or vulnerabilities,
we will provide our insight. Speaking of which, this leads us to Zoom!

________________________________

In This Article:

‘Shall We Zoom?”
Arising Issues on Two Fronts
The Zoom Blacklist
Is Zoom Safe To Use?
Security Industry Hot Takes
Zoom’s Security Response and Actions
Risk Based Security’s Insight

________________________________

‘Shall We Zoom?’

It almost seems as if Zoom became a sensation overnight for millions
of people, with the company/product name even starting to be used as a
verb, reaching the likes of “Google it”. But while many are just now
hearing about and using Zoom, the company was founded in 2011 and has
been around for nine years, used by thousands of companies world-wide,
as part client meetings including product demonstrations.

For many users, the COVID-19 pandemic is the main reason why they have
heard of Zoom, as it has increasingly become a go-to product for
families and friends to stay in touch. Aside from interfamily use,
Zoom has even been used for wedding ceremonies and educational
facilities have turned to Zoom needing the ability to continue to
conduct classes, for school and after hours activities.

Even before the pandemic, business use of Zoom has been growing over
the past several years, especially for conducting remote meetings and
demos. While most have understood that Webex has basically dominated
the landscape for over a decade, frustrations with stability, security
concerns, ease of joining meetings and lack of features has caused
many to look for alternative products.

Stepping in to fill the gap in the market, Zoom has become known for
being very reliable, boasting no major outages, and the quality of the
experience has been top notch for many. It is cross-platform and
easy-to-use, which makes it easy to adopt. Zoom also has an added
element of fun, giving users the ability to upload pictures and
creative virtual backgrounds.

The reliability of the offering and Zoom’s features has made it
culturally relevant with shows like SNL and other media outlets giving
attention to amusing user mistakes and work fiascos.

Arising Issues on Two Fronts

Unfortunately, the Zoom rocketship-success story didn’t last that long
without significant controversy. As recent attention grew, a number of
issues were uncovered relating to privacy settings as well as
vulnerabilities within the platform itself.

1. ZOOMBOMBING

The first thing that started to happen was “Zoombombing”, where trolls
started to cause significant problems for unsuspecting users that had
not enabled authentication on their calls. While the practice is
largely seen as a prank, children have been exposed to explicit images
and in some cases we are seeing law enforcement arresting those
responsible.

The ability to “Zoombomb” has brought a lot of concerns, not only to
educational facilities, but to normal users and new work from home
folks as well. In many cases, Zoombombers are able to crash these
calls due to sharing of Meeting IDs in invites or screenshots as well
as taking advantage of the default insecure settings. The good news is
that many of these attacks can be easily avoided.

2. VULNERABILITIES AND PRIVACY ISSUES

While the media continues to report on new Zoom bombing attacks, there
are also a good amount of reports of security vulnerabilities and
privacy concerns within the platform. As these issues come to light,
Zoom has found itself in a California lawsuit and it is expected that
there will be more to come.

All of these issues lead to the question: is Zoom safe to use or not?
And as is often the case when it comes to security, there isn’t a
clear-cut answer.

The Zoom Blacklist

A complete analysis of Zoom from a security perspective hasn’t been
completed, yet the overwhelming presence of sensational articles from
the news media has led to quite a bit of confusion. Given the material
out there, it is not hard to view Zoom as a massive security risk
leading to some companies, governments and educational institutions
banning or discontinuing the use of Zoom.

Google has banned Zoom from company-owned computers. Administrators
will disable it this week, and Google employees have been directed to
use Google’s own Duo instead.
SpaceX has forbidden employees from using Zoom, citing security and
privacy concerns.
Smart Communications, a Philippines-based ISP, has banned Zoom for internal use.
This list of countries where Zoom won’t function is based on the US
government’s list of sanctions.
Taiwan has banned Zoom for use by all government agencies.
NASA has banned all employees from using Zoom.
The German Foreign Ministry has restricted Zoom use to personal
computers in emergency situations only, as reported by Reuters.
The United States Senate has urged its members to choose platforms
other than Zoom due to security concerns, but has not issued an
outright ban (although at least one congressman has called for it).
The Australian Defense Force banned its members from using Zoom after
an Australian comedian Zoom bombed one of its meetings.
Singapore bans teachers using Zoom after hackers post obscene images on screens.
New York City’s Department of Education has banned teachers from using
Zoom and encourages them to switch to Microsoft Teams.

The decision of high-profile organizations like these to ban the use
of Zoom appears to validate the perception of critical security issues
plaguing the platform. However, while many home users have concerns,
many questions remain and few alternatives are as well known. As a
result, many home users set aside their privacy and security concerns
and continue to use Zoom to stay in touch with loved ones.

In the private sector, despite the press attention on the
aforementioned bans, anecdotal evidence suggests that many businesses
and companies continue to use Zoom.

Meanwhile in the government sector, the pattern is inconsistent. After
the Department of Homeland Security and the General Services
Administration advised agencies not to use the free video
teleconferencing system from Zoom, a casual survey of agency CIOs
found that most were not using it in the first place. At the same
time, the DoD has said that Zoom is officially approved for use in
unclassified situations by troops, DoD employees, and contractors.

Is Zoom Safe To Use?

Before we can make a decision or help organizations evaluate their own
risk of using Zoom, it is important to more fully explore and
understand the various issues facing Zoom.

USER AWARENESS AND CONFIGURATIONS PROBLEMS

Zoom’s ease of use became a double edged sword. It is incredibly
convenient to be able to join a call by clicking a single button, but
this feature sidesteps security measures. If you combine this removal
of friction with the fact that the majority of users don’t have a
basic security understanding, you get a situation where people will
often be taken advantage of.

“People can change their settings to make it less likely they will be
harassed, but few people do and they’re not to blame. The company
didn’t focus on security and other dangers when it should have.
Zoombombing is now a consequence of the company’s deliberate choices
to make voice calling a breeze.”

Shira Ovide, NY Times

Zoombombing is easy to do, if you have the link – and finding the link
can be easy given user behavior and tools being created specifically
for finding Zoom meetings IDs. In response, Zoom issued guidelines to
mitigate intrusions and enacted common-sense security measures such as
password protection. Social media users have also posted their tips on
how to deal with the annoyance.

Jessica Lessin✔@Jessicalessin
 · Mar 20, 2020

Our video call was just attacked by someone who kept sharing
pornography + switching between different user accounts so we could
not block them. Stay tuned for next steps. And I am sorry to everyone
who experienced. We shut down as soon as we could.

Ana at AnaAgneshwar

We just got zoombombed. Change screensharing to “Host Only”
Disable “Join Before Host” so people can’t cause trouble
Disable “File Transfer” so there’s no digital virus sharing.
Disable “Allow Removed Participants to Rejoin” so booted attendees
can’t slip back in.

203
2:43 PM - Mar 20, 2020
Twitter Ads info and privacy

75 people are talking about this

But despite these tips, Zoom bombing isn’t slowing down… In fact, some
suggest that the practice will continue to get worse. Zoom bombing has
even been showcased as a form of playful entertainment, further
encouraging bored intruders.

SECURITY VULNERABILITIES

Aside from user problems and configuration issues, security
researchers have disclosed numerous issues and vulnerabilities within
the platform itself. One of the first issues that got massive media
attention was the discovery that the iOS Zoom app was sending user
device data to Facebook, even if the user did not have a Facebook
account. The data that was being sent informed Facebook when the app
was opened and by which device – such as model, time zone, city, and
phone carrier. A unique advertiser identifier was also created and
associated with that device allowing companies to send targeted
advertisements to that user.

On March 30, two bugs were found by former NSA hacker Patrick Wardle
and then disclosed on Twitter by @c1truz_:

Felix at c1truz_

Ever wondered how the @zoom_us macOS installer does it’s job without
you ever clicking install? Turns out they (ab)use preinstallation
scripts, manually unpack the app using a bundled 7zip and install it
to /Applications if the current user is in the admin group (no root
needed).

8,712
4:26 PM - Mar 30, 2020
Twitter Ads info and privacy

4,380 people are talking about this

The first vulnerability involved the installer, which essentially took
over admin privileges to gain root access to a user’s computer. It
also used pre-installation scripts and displayed a faked macOS system
message (which doesn’t sound so different from our previous covert
redirect phishing examples). Although this vulnerability isn’t
“strictly malicious”, it is undoubtedly a shady practice. In fact,
this method of installation is described by @c1truz_ to be using the
“same tricks… used by macOS malware”.

The other vulnerability found by Wardle involved Zoom’s access to the
camera and microphone permissions. The article suggests that this
vulnerability is much more serious if exploited, as it would allow
attackers to hijack a Zoom user’s camera and microphone without their
knowledge.

However, we believe the installer issue was the more severe issue, as
it allowed a local attacker to gain root privileges on the system.
This follow-up issue does allow bypassing the Hardened Runtime
protection to gain access to the microphone and camera unprompted, but
it actually requires write privileges to the Contents/Frameworks
folder of the application prior, meaning that it is dependent on the
first vulnerability.

Unfortunately for Zoom, another issue was found on the same day of
March 30th. Despite their marketing material, it was discovered that
Zoom did not actually have end-to-end encryption. Instead, Zoom relied
on “transport encryption”, which allows them to mine unencrypted
messages and video files for targeted advertisements. When contacted,
a Zoom spokesperson advised:

“Currently, it is not possible to enable E2E encryption for Zoom video
meetings. Zoom video meetings use a combination of TCP and UDP.”

Zoom spokesperson

The discovery of these issues has led to distrust and has led to
several lawsuits, with many of them citing the California Consumer
Privacy Act. These vulnerabilities, and additional findings of leaked
email addresses and personal data, including over 500,000 Zoom
accounts found for sale on the dark web, have sparked numerous privacy
concerns about Zoom’s privacy policy and how data is being routed.

At the time of publication of this article, we track a total of nine
vulnerabilities for the Zoom Client for Meetings (five of these
disclosed in 2020) in VulnDB.

PRIVACY CONCERNS

Zoom’s privacy policy states that it collects a multitude of data on
users, including your name, physical address, email, phone number, job
title, and employer. However, when we factor in the previous bugs and
vulnerabilities mentioned earlier, Zoom also collects:

Facebook profile information;
Device information;
Network information;
The user’s operating system;
Zoom usage information;
Phone carrier;
Time zone

While some of this data is provided directly by the user when
registering, the vast majority of what has been listed is
automatically and quietly collected by the Zoom app. In Zoom’s privacy
policy they assure that they do not “sell” this data to third parties.
However, if you read further it says:

“As described… Zoom does use certain standard advertising tools on our
marketing sites which… sends personal data to the tool providers such
as Google. This is not a “sale” of your data in the sense that most of
us use the word sale. However, California’s CCPA law has a very broad
definition of “sale”. Under that definition, when Zoom uses the tools
to send the personal data to the third-party tool providers, it may be
considered a “sale”.

Zoom’s Privacy Policy

So although Zoom user data is not “sold” to third parties, it is
“shared” which doesn’t make the matter any better for consumers.

FOREIGN CONCERNS

Since this trove of data is being collected and stored, many analysts
and users have been concerned with foreign targeting, especially from
China. According to Time, U.S. counterintelligence agencies have
observed espionage attempts from Russia, Iran, and North Korea as well
– all of them trying to spy on Americans’ Zoom video chats.

Zoom faced further scrutiny when it was found that some calls and data
were being routed through China. Given that the Chinese government is
notorious for heavily monitoring and controlling internet use, many
feared that they would force Zoom to decrypt the data routed through
those servers.

In response to this discovery, Eric Yuan, Zoom’s CEO, stated that
Chinese servers were deployed quickly to “come to the aid of people
around the world” during the sharp rise in use during the pandemic. In
order to allay mistrust, Zoom then implemented a feature to control
data routing (mainly to exclude Chinese servers).

Security Industry Hot Takes

Are all these perceived issues in Zoom serious or media hype? The
security industry appears to be divided into three mindsets.

1. “ZOOM IS THE WORST”

“If you care about your security and privacy, perhaps stop using Zoom.”

Patrick Wardle, former NSA hacker, principal security researcher at Jamf

It seems that many people, especially researchers, fall into this
bucket due to the growing list of criticisms Zoom has faced this year.
Ultimately, it comes down to a shortage of trust resulting from the
lack of transparency, company foresight, and code maturity.

Researchers are having a field day disclosing everything they can find
on Zoom with the media following closely, even if the issue wouldn’t
be of interest normally. There are many Twitter threads, created by
researchers like Mudge, detailing issues and potential attacks.

TechCrunch sums up the arguments for dropping Zoom, or at least using
it with heavy scrutiny. Perhaps Zoom has flown too close to the sun
and will unceremoniously hit the ground. With a growing list of
vulnerabilities, coupled with privacy policy issues and the lack of
transparency, many see Zoom as a heavy security liability.

2. “ZOOM ISN’T THAT BAD; THEY’RE TRYING”

People who fall into this bucket understand that the issues involving
Zoom are potentially serious, but are also sympathetic to the fact
that Zoom saw an incredible, unforseen increase in its user base.
Jumping from 10 million customers to over 200 million in just three
months, it is understandable to a degree that issues were discovered
as more attention was given to the software.

When confronted with the issues, Zoom has been very responsive and has
made solid PR decisions. The quick response and emphasis on improving
security has alleviated some of the pressure. Which is a good thing,
because researchers are often met with silence when security issues
are uncovered. If Zoom had acted in that manner, it would have been a
death sentence within the security community.

3. “ZOOM ISN’T THE PROBLEM”

The argument here isn’t that Zoom has no flaws, but that the company
is being unfairly attacked by most of the security community as well
as the media. Defenders say that many of the “vulnerabilities”
affecting Zoom are either not as damaging as presented, or that some
aren’t necessarily issues with the actual product.

Amit Serper, along with David Kennedy and Russ Handorf, authored an
informative piece advising that many of the vulnerabilities have
already been dealt with, and stating that other competing products had
similar concerns. Adding to this, they expressed frustration that some
publications were falsely labeling Zoom as malware, feeding the
public’s distrust and fear of compromise.

This fear of misinformation is concerning. We at Risk Based Security
also want to make a clear distinction that Zoom is not malware.
Forbes’ Davey Winder expressed a similar sentiment and has documented
that hackers are capitalizing on this misinformation, noting that
between February and March, there was an increase above 2,000% in
malicious files with “zoom” in the name.

Zoom’s Security Response and Actions

Adding to Zoom’s defense, Eric Yuan, the CEO of Zoom, has been pretty
transparent about the issues that they are now facing related to
security and privacy. He has apologized numerous times to the press
and has openly discussed the issues in interviews with Bloomberg.

To Zoom’s credit, Yuan has been consistent in his messaging,
emphasizing that he knows that Zoom has fallen short of privacy and
security expectations and that he is doing everything he can to remedy
the situation.

It seems like Zoom is actually making a meaningful effort to improve
rather than to solely improve public perception, including the
following actions:

FEATURE FREEZE

In order to demonstrate their dedication to security, Zoom decided to
dial back on pushing new features for 90 days. Instead, they have
promised to focus solely on security issues to maintain and win back
customer trust.

Zoom has already made steady progress. A day after announcing the
feature hold, Zoom fixed the issue with their MacOS installer, removed
a LinkedIn data mining feature, and patched a vulnerability involving
Windows. They have also promised to release regular transparency
reports.

VULNERABILITY RESPONSE

Despite a corporate climate where data breaches, leaks, and security
issues seem like a daily occurrence, Zoom’s responses and transparency
have been acknowledged positively, differentiating themselves from
many other vendors with boilerplate PR responses.

As part of their feature hold initiative, Zoom is bolstering their
vulnerability response and has received a reaction that few companies
in its situation receives – praise. Too many times researchers are met
with either silence or months (or years) of reserved responses. Being
vulnerability researchers ourselves, we know the pains of coordination
all too well.

ENHANCED BUG BOUNTIES

Along with increased resources being put into their vulnerability
response teams, Zoom is also enhancing their bug bounty program. This
is a good step forward, but Zoom needs to ensure they end practices
like the use of non disclosure agreements (NDAs), or their bug bounty
program may be seen as a marketing stunt.

NDAs create the perception among security researchers that “their
silence is being bought and sold to prevent public exposure of
insecure practices”. Overall, bug bounty programs are supposed to be
beneficial for both researchers and the impacted organization, but if
Zoom tries to silence the issue it will find that researchers will go
straight to the press and bypass them entirely.

That is what happened last summer, before Zoom’s massive gain in
market share. Security researcher Jonathan Leitschuh found a
vulnerability involving Zoom’s webcam use and reached out to Zoom’s
bug bounty program through Bugcrowd. As standard etiquette demands,
Leitschuh gave Zoom 90 days to remediate the issue before publication.
However, they failed to do so and asked him to sign an NDA, barring
him from disclosing and publishing the issue even if the vulnerability
would be patched. Of course, he refused.

That practice will not bode well with the security community, and
hopefully, with their revamp, Zoom will ensure that all parties
benefit from the good work that vulnerability researchers do. But with
the increased scrutiny Zoom is receiving, some experts within the
space have voiced concerns regarding ineffective bug bounty programs.

ENGAGING SECURITY EXPERTS

Concerns involving Zoom’s bug bounty program however may not be an
issue for long as Zoom reached out to Katie Moussouris and officially
tasked her with improving the bug bounty program. In addition to
hiring Katie, well known experts and security personalities have been
added to Zoom’s security roster, including former Facebook CISO Alex
Stamos, privacy expert Lea Kissner, cartographer Matthew Green, and
three additional well known security firms.

Katie Moussouris✔@k8em0
 · Apr 15, 2020
Replying to @k8em0

I’m excited to highlight my colleagues who are adding their expertise
in the next few weeks. In addition to welcoming my former colleague
@alexstamos to the extended Zoom security family
I’d like to welcome @LeaKissner @matthew_d_green @bishopfox
@NCCGroupInfosec @trailofbits

Sister HxA full of trace(route)@hexadecim8

Dam, Katie didn't say she was forming The Avengers of pandemic cyber
security on these streets

24
5:40 AM - Apr 16, 2020
Twitter Ads info and privacy

See Sister HxA full of trace(route)'s other Tweets

H. Poteat at NSQE

Thiiiiiiiiis is the highlight of the latest news coming out of Zoom,
and thank you, @iMeluny. There are a hundred people Zoom could hire if
they just wanted figureheads to look important and sweep crap under
the rug. Zoom hired shit-stirrers. Firebrands. People who WILL scream.
https://twitter.com/iMeluny/status/1250831926698491904 …

Melanie Ensign at iMeluny
Replying to @iMeluny and 3 others

A positive sign, based on my experience w/ these individuals — you
don’t ask @k8em0 @alexstamos @LeaKissner to look under the hood unless
you’re prepared to hear bold (& often difficult) truths. <3

If Zoom heeds their counsel, it will likely have formidable capabilities soon.

20
12:59 PM - Apr 16, 2020
Twitter Ads info and privacy

See H. Poteat's other Tweets

Public reception to Zoom engaging with experts has been mostly
positive, although there are individuals within the security community
who don’t appear to be entirely sold, some calling Zoom out by name
and others believed to be doing so more generically.

Hoff at Beaker

There are people in the InfoSec industry who are held up as idols &
heroes within the community who have, under their watch, presided over
MULTIPLE mega breaches & privacy debacles yet continue to be given air
time & lauded for their expertise & leadership FOR FAILURE AT SCALE

87
9:53 AM - Apr 10, 2020
Twitter Ads info and privacy

24 people are talking about this

No matter what the view is about the hirings and engagement, Zoom, and
their newfound expert panel have a good amount of work ahead of them.
It will be interesting to see if a clash will result between the
security panel and Zoom’s corporate goal of making the product simple
and easy-to-use.

WHAT’S NEXT FOR ZOOM

Overall, Zoom has a lot of work cut out for them as researchers and
the media continue to scrutinize both the product and the company.
Although many vulnerabilities are driven by altruism, in the past
disclosure was often seen as a way to strengthen resumes and build
reputation in the community. We can expect to see security firms,
researchers, and the media continue to focus on VPNs and work from
home tools like Zoom, and as the user base grows, so will the
scrutiny.

Zoom is on the precipice of either substantially losing market share
or driving further growth by capitalizing on their impressive PR
strategy. A Blind report found that 35% of professionals worry Zoom
may compromise their organization and 12% of Zoom users have dropped
the service due to those fears. That figure may continue to grow as
negative press coverage mounts and more companies are added to the
Zoom blacklist.

But Zoom’s ease-of-use that got them into this mess is also proving to
be its major strength. If Zoom can properly satisfy security concerns
while maintaining their current goodwill and transparency, well, that
is how brand loyalty is created.

Brand loyalty is incredibly important as the video app space becomes
more crowded, each with its own set of drawbacks. Zoom’s features have
made it accessible for nearly every kind of user, so if they can put
this behind them, they may be able to hold on to those 200 million
users.

As time passes, Zoom will continue to see more bugs. And in the
meantime, while they implement this 90 day freeze on features, their
competitors will ramp up their marketing efforts to increase their
share of the market.

The good news is that Zoom appears to be following through on their
promise of doubling down on security and privacy. As the Verge
reported, Zoom’s recent 5.0 update addresses many issues, including
enabling passwords for most customers, and making those and other
security settings on by default.

Risk Based Security’s Insight

Any time there are issues such as the ones Zoom is facing, emotions
and cognitive biases creep into the arguments. The best method we
believe as always is to take a risk-based approach and try to look at
actual data to better understand what is truly happening.

EVALUATING VENDORS THAT COULD PUT YOU AT RISK

At Risk Based Security we believe that it is important to evaluate
vendors and evolve beyond the Vulnerability Whack-a-Mole game as we
have discussed in the past:

“We need to continue to educate and enable organizations to start
looking at Vulnerability Management from a more strategic standpoint,
and apply more of a problem management approach. Ask yourself:

What if you knew the vendors or products that would most likely put
you at risk for a data breach or compromise?
What products or libraries/components cost the most to maintain securely?
What if you could easily look at your vendors and see how much they
care about their own security? Are they actively addressing the
vulnerabilities within the products they are shipping to you? And if a
vulnerability does make it through, how quickly do they respond and
provide a patch?”

We do firmly believe that if organizations have access to easy to
understand ratings and are able to gather better insights about the
products they are relying on, they can take a strategic approach. They
can finally achieve proactive, risk-based vulnerability management,
set aside the squeaky mallet, and move on from the whack-a-mole game.”

It has long been debated whether vulnerability counts really matter
when it comes to evaluating software quality and overall security.
This topic like many in the security industry brings out some strong
opinions. Allen Householder weighed in on Twitter explaining that
CERT/CC gets this question often.

Our own CEO, Jake Kouns followed up with some thoughts as we at Risk
Based Security do value and evaluate how a vendor responds, but this
is just one of many metrics that we believe is important to understand
a product’s code maturity and investment in security.

Allen Householder at __adh__
 · Apr 11, 2020

Folks often ask us @certcc whether a vendor with lots of vuls is worse
than one with few. Wrong question. It’s all in how they respond - What
they do once they know about them is what counts. Zoom appears to be
doing it right.
https://twitter.com/BillDemirkapi/status/1248909505234075649 …

Bill Demirkapi at BillDemirkapi

Soon after this tweet, the CEO of Zoom @ericsyuan reached out and
offered me an internship. Excited to announce that I'll be joining
Zoom's security team for the summer.
https://twitter.com/BillDemirkapi/status/1245271580852322304jkouns at jkouns

We agree that how a vendor responds to a vuln is important, but that
isn't the only thing. The types of vulns still being found gives us a
clear indication of the product's code maturity and their investment
in security.

1
5:25 PM - Apr 11, 2020
Twitter Ads info and privacy

See jkouns's other Tweets

THREAT MODELS AND ATTACK VECTORS REALLY MATTER

While there have been a lot of news articles and reviews of Zoom, only
a few were detailed and attempted to point out technical issues. A
Twitter thread from Mudge was one of these, where he highlighted
security concerns for the Zoom client on Linux. However, while the
thread provided some useful insights, it didn’t provide the context
that a security practitioner really needs to make a proper risk
decision about the use of Zoom.

Mudge provided various information to back up his point of view, but
his conclusions about Zoom being an unsafe product mostly appeared to
be based on two things: (1) missing support for defense-in-depth (DiD)
security mechanisms like DEP and ASLR and (2) using a lot of
potentially dangerous functions, specifically mentioning “453 calls to
bad security” functions and “6316 to risky” functions.

To be fair, the fact that Zoom didn’t seem to enable any DiD security
mechanisms in the Linux client is very weak in 2020. They do deserve
to be called out for that poor security practice. That is part of even
a beginner’s SDL (Security Development Lifecycle). As Mudge also
points out, it does indeed make it a lot easier to exploit certain
types of vulnerabilities if found in the client. However, by itself it
doesn’t suggest that the Zoom client is an unsafe product and
shouldn’t be used.

Similarly, we concur with Mudge that the prolific use of potentially
unsafe functions is a sign of a less than mature SDL but, again, by
itself (or even combined with the first point) it does not mean that
the Zoom client for Linux is unsafe and unfit for use.

Using these types of functions does increase the risk of making
mistakes where untrusted input is supplied in a manner that leads to a
vulnerability. However, if used carefully and correctly with only
trusted input, there is as such no problem with these functions being
used in the code. Even if untrusted input was passed to one of these
functions, it may still not result in a vulnerability, if the attack
vector doesn’t allow for a gain to an attacker.

Mudge states that based on these issues, the Zoom Client for Linux
“would be considered too easy to exploit” and that he’ll show “coding
vulnerabilities” in this thread. However, it’s relevant to note that
he never actually does that. He does provide an example of potentially
problematic use of the popen() function, but it does not constitute an
actual vulnerability even if referred to as such.

He later also clarifies that it was just intended as “an example of
identifying poor security coding practices” and encourages people to
find “a more exploitable example”. However, if the client was indeed
so flawed and easy to exploit, providing a legitimate vulnerability –
or better yet a slew of them – as an example would have gone a long
way to prove how unsafe it is.

Currently, there are only two known vulnerabilities reported for the
Zoom client for Linux. Both of these were reported and fixed in 2017.
However, it is equally important to understand that that doesn’t mean
that the product is then secure and safe to use. A lot of basic
vulnerabilities could likely be reported in the product in the near
future. Only an in-depth review of the product’s attack surface and
code itself can speak more to its actual security state.

Regardless, there are many things that Mudge points out where we
completely agree. The lack of support for security mechanisms like DEP
and ASLR as well as the use of potentially unsafe functions does
suggest less than secure code or at a very minimum a less than mature
Secure Development Lifecycle (SDL).

We are fans of understanding code maturity and have in fact developed
a whole system in VulnDB for rating the secure coding state of a
product based on the types of uncovered vulnerabilities. However, we
believe that the security of a product, in this case the Zoom client,
cannot solely be determined with just a teardown of a few examples of
what speaks to their SDL.

In this case the code maturity, as Mudge points out, is very low and
on the surface that is very problematic. But we must remember that
academically insecure code is only a concern if there are practical
avenues to attack the potential vulnerabilities. Code maturity is
important, but it should not be examined in an isolated manner.

It’s also worth noting that so far none of the vulnerabilities
recently reported in the Zoom clients for Windows and macOS seem to be
due to using insecure functions. Similarly, none of them would have
been mitigated by the enabling of the previously discussed security
mechanisms. It is worth noting, though, that the two old
vulnerabilities in the Linux client indeed were due to unsafe function
use.

ATTACK VECTORS FOR SOME OF THE RECENT VULNERABILITIES

One of the initial vulnerability reports for the Zoom client, which
received a lot of attention and media hype, was a local privilege
escalation (LPE) issue. While the vulnerability was quite interesting
from a technical point-of-view, the local vector made it less severe
and also less of a risk. Another of the initial vulnerability reports
was reported to disclose Windows NTLM credentials (in fact the impact
was more severe, as it also allowed execution of commands) but it
required that an attacker was in a chat session with the victim and
tricked them into clicking a malicious link. This also reduced the
severity and risk to organizations.

This is important to understand as we need to keep the threat model,
attack surface, and attack vectors in mind while evaluating risk. In
the case of the LPE vulnerability what this means is that companies
should primarily be concerned if the Zoom client is installed on a
company machine provided to untrusted employees. For users with the
Zoom client installed on their own private systems, the risk is quite
limited; they only really have to worry about bad actors, who
compromise their systems through other means and use it to elevate
privileges.

It’s worth noting that if done right (we haven’t confirmed if this is
the case for the Zoom client), most of the local interfaces in this
type of software should be running with the user’s own privileges.
That means even if there was a coding flaw in the interface, it would
not have a security impact or lead to any elevation of privileges.

In the case of the other vulnerability, the risk is greater to both
corporate and private systems. However, the attack vector still
requires a bad actor to establish a chat session with a victim and
then trick them into clicking a link. The risk can, therefore, be
limited by not engaging in any chat sessions with untrusted people and
refrain from clicking any links provided by them. Due to the attack
surface of this type of software, these types of context-dependent or
user-assisted attacks are a lot more plausible than any true remote
compromise.

>From what we’ve seen so far there are certainly legit concerns about
the Zoom clients, but we wouldn’t consider it a critical IT
infrastructure concern for organizations, and the risk is no greater
than many of the vulnerabilities being disclosed in other software.
The Cisco WebEx clients don’t exactly have a stellar track record
either.

ZERO-DAY CLAIMS OF A USD 500K VULNERABILITY

Just a few days after Mudge’s Twitter thread, an article was published
that suggested there were in fact significant zero-day exploits being
sold. One was supposedly so severe that the asking price was USD
500,000. According to a few sources, who trade in such exploits, there
were two Zoom zero-days on the market: one for Windows and one for
macOS. While the sources had not seen the actual code of the exploits,
they were contacted by brokers selling them.

The article describes the macOS vulnerability as not being a remote
code execution (RCE) issue, but then goes on to provide conflicting
information about the Windows issue:

“[The Windows zero-day] is nice, a clean RCE [Remote Code Execution],”
said one of the sources, who is a veteran of the cybersecurity
industry. “Perfect for industrial espionage.”

and:

“Generally speaking, an RCE exploit allows hackers to access the
target’s whole machine, not just the app they are attacking.”

These claims suggest that the vulnerability is a straight-forward
remote code execution vulnerability that allows gaining control of a
victim’s system. That is a bit surprising, as it doesn’t immediately
support expectations based on the interfaces provided by the Zoom
clients.

However, the article then also states:

“The zero-day for Zoom on Windows would allow hackers to access the
app, but would need to be coupled with another bug to access the whole
machine.”

and:

“The source said the exploit requires the hacker to be in a call with
the target, making it less valuable for a government spy agency that
aims to be stealthy and doesn’t want to get caught.”

Suddenly it becomes quite clear that the attack vector is not “a clean
RCE” but what is commonly considered a context-dependent or
user-assisted attack vector, as the victim is required to first be in
a chat session with the attacker (and maybe even further user
interaction is required). It is, furthermore, suggested that it does
not grant control of the system unless coupled with another
vulnerability.

When first seeing the headline, we thought that perhaps a very serious
and valid zero-day (0-day) allowing code execution might have been
discovered. After reviewing the information it more seems plausible
that this is not the case and that someone is just trying to make a
quick buck (well… 500,000 of them).

PRIORITIZE USING A RISK-BASED APPROACH

Individuals using Zoom for personal reasons outside of the corporate
environment should be fine as long as they follow proper security
practices. If you are using Zoom, make sure that you are configuring
your calls properly. Here are some resources we have found that walk
you through the process:

Zoom isn’t Malware
Magid: Zoom safe to use if properly configured

The Freedom Of The Press Foundation put together this useful resource,
breaking down the right video conferencing tool for the job.

Businesses using Zoom or thinking of utilizing it as their primary
video conferencing platform need to follow a risk-based approach. Now
that you have an understanding of Zoom’s security concerns and
problems, you can start the process of vendor evaluation and avoid
playing the vulnerability whack-a-mole game. Assess Zoom’s flaws and
code maturity along with vulnerabilities your organization is
currently facing in order to effectively mitigate risk, rather than
simply following public sentiment.

What Next?

The zoom story obviously doesn’t end here, and it’s becoming a
fascinating case study about software vendors and the security of
their product.  Further it shows the importance to understand the ways
in which your digital supply chain exposes you to risk, and the
constant decisions that organizations have to make to manage the
potential impact to their business. We’re going to keep a close eye on
how this Zoom story develops, and we’ll make updates here, to build a
comprehensive and hopefully useful resource for the security
community.


More information about the BreachExchange mailing list