Flash Alert: Zoom Vulnerabilities

IntSights recommends immediate updates to the Zoom application to patch several security and privacy issues.

Over the past few months, security researchers have found several security vulnerabilities in the Zoom video conferencing application. With a huge percentage of the workforce recently transitioning to fully remote work, it is imperative to understand the threats remote workers face to better defend against them.

Researchers have recently discovered multiple privacy and security problems in the Zoom application, all of which have now been addressed in updates to the platform. The following is a list of security issues that have been addressed:

  • Video hijacking, aka "Zoom-bombing" results in harassment, stalking, and uninvited appearances in private Zoom calls.
  • CVE-2020-11500: Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for video and audio encryption.
  • CVE-2020-11470: Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user's privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Zoom Client's microphone and camera access.
  • CVE-2020-11469 Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to a user-writable temporary directory during installation, which allows a local process (with the user's privileges) to obtain root access by replacing runwithroot.
  • Permanent removal of the "attention tracking" feature, which allows a host to see when an attendee clicks away from the Zoom window.
  • Permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.

For more information on Zoom patches and security fixes, consult the Zoom website here.

Sources: - MITRE: CVE's related to Zoom

To see the IntSights External Threat Protection suite of solutions in action, schedule a demo with a member of our team.

Request a Demo

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.