The new flaws of Zoom, on Windows and Mac: how to protect yourself while society is running for cover

Watch out for all Zoom users on Windows: the application now widely used for its video chat features affected by a serious vulnerability that allows attackers capable of exploiting it to steal the operating system authentication credentials. And Mac users too they cannot stay safe: two new flaws jeopardize the security of the system.

The discovery took place when the use of Zoom soared as a countermeasure to the forced social distancing established to limit the spread of the COVID-19 pandemic. With a massive amount of people who found themselves working from home, many of them decided to rely on Zoom to keep in touch with colleagues, customers and partners. Zoom registered 200 million users for the month of March alone, compared to 10 million in December.

The problem that many endpoints connect via normal home networks without particular security measures, finding themselves to manage that sensitive and confidential information typical of the work they do. The attack works using Zoom's chat window to send a text string to the target, in format Universal Naming Convention, which Zoom automatically turns into a clickable link. In the event that the target clicks on the link in those networks that are not properly protected, Zoom sends the NTLM usernames and corresponding hashes (in fact encrypted passwords) to the address contained in the link and controlled by the attacker.

The pass-the-hash attack and possible countermeasure by closing door 445

The attacker can then use his credentials to access shared network resources, such as Outlook servers and storage devices. As a rule, resources on a Windows network accept NTLM hash when they need to authenticate a device, making it possible to carry out a so-called pass-the-hash attack, which does not require any violation technique to convert the hash into its corresponding password in plain text. . The attacks can be conducted in a fairly simple way, and by individuals who can participate in meetings perhaps through the so-called Zoom bombing raids, accessing those meetings that are not password protected and whose public link.

When the Windows user clicks on the link while they are connected to unsafe networks or machines, the Zoom app sends credentials to port 445 which used to transmit traffic related to Windows SMB and Active Directory services. In the event that port 445 is closed to the outside via a firewall or through blocking by the connectivity provider, the attack fails. But it is unlikely that this door will be closed on most Zoom users' home networks: therefore I recommend that you close it via a firewall, unless you need to keep it open because it is used for some indispensable service for the conduct of business or remote study.

Zoom them also in the version for macOS

As for the Mac version, it turned out that the Zoom installer calls up an API to perform various installation activities with privileges that easily lends itself to the possibility of implementing an attack for an escalation of privileges and be able to gain root access to the system, thus being able to perform any type of action. It must be said that in this case the vulnerability can only be exploited through a local attack, but it does not detract from its seriousness.

A second vulnerability would then allow attackers to access the video camera and microphone, as well as making it possible to record the screen, and all without the user being in any way called upon to intervene or authorize the activities. Security researcher Patrick Wardle – a former hacker for the U.S. NSA – explains that the vulnerability allows injecting malicious code into Zoom's process space by opening up the ability to record user activity and what happens during virtual meetings. Wardle suggests using Overisght, a small application developed by himself, which shows a notification whenever access to the webcam and microphone is required by any application / service.

Zoom's problems: the CEO runs for cover

These are just the latest in a series of unpleasant episodes that have seen the app as protagonist in the last few weeks when, with the surge in its use, many security, privacy and usability issues have surfaced. So much so that some large-scale realities such as SpaceX and NASA have banned its use, and prompted the FBI to advise against it.

This situation situation led already yesterday the CEO of Zoom, Eric S. Yuan to write a long blog post about the company to address some of the app's most significant problems. For the next 90 days Zoom has decided to completely suspend the development of new features, to focus on correcting existing problems. "Supporting this influx of new users has been an extraordinary undertaking and our only goal in these past weeks. However, we recognize that we have disappointed the expectations of the community and our own expectations on security and privacy. I am deeply sorry for this and I want to share with what are we doing about it. "

Predictably Yuan points out how massive adoption has led to a series of unexpected headaches: "We didn't design the product by predicting that in a few weeks anyone in the world would work, study and socialize from home. Now we have a much larger number of users who use our product in a myriad of new ways, presenting us with a series of challenges. that we didn't consider when the platform was designed. "

Yuan then explained that the company enlist a consulting firm to evaluate and verify the situation as a whole in order to compile a transparency report. Zoom has also decided to strengthen its bug bounty program which offers monetary rewards for security researchers who identify problems and vulnerabilities and imposes a confidentiality clause on participants. The program managed through the HackerOne service.