Flash Alert: Zoom Vulnerabilities
April 3rd, 2020
Subscribe to our blog and stay up to date
IntSights recommends immediate updates to the Zoom application to patch several security and privacy issues.
Over the past few months, security researchers have found several security vulnerabilities in the Zoom video conferencing application. With a huge percentage of the workforce recently transitioning to fully remote work, it is imperative to understand the threats remote workers face to better defend against them.
Researchers have recently discovered multiple privacy and security problems in the Zoom application, all of which have now been addressed in updates to the platform. The following is a list of security issues that have been addressed:
- Video hijacking, aka "Zoom-bombing" results in harassment, stalking, and uninvited appearances in private Zoom calls.
- CVE-2020-11500: Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for video and audio encryption.
- CVE-2020-11470: Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user's privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Zoom Client's microphone and camera access.
- CVE-2020-11469 Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to a user-writable temporary directory during installation, which allows a local process (with the user's privileges) to obtain root access by replacing runwithroot.
- Permanent removal of the "attention tracking" feature, which allows a host to see when an attendee clicks away from the Zoom window.
- Permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.
To see the IntSights External Threat Protection suite of solutions in action, schedule a demo with a member of our team.
Etay Maor is Chief Security Officer at IntSights. As CSO, Etay leads the security advisory practice at IntSights where he works with CISOs and other senior cybersecurity executives to develop risk management-based cybersecurity programs. Etay has extensive experience in cybersecurity having worked at IBM, Trusteer, and RSA. Etay holds a BA in Computer Science and a MA in Counter Terrorism and Cyber Terrorism and is currently a professor at Boston College.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.