
Zoom Zero-Day Allows RCE, Patch on the Way - LinuxBender
https://threatpost.com/unpatched-zoom-bug-rce/157317/
======
user5994461
>>> the flaw... only exploitable on Windows 7 and older Windows systems, which
are end-of-life and no longer supported by Microsoft

Windows 7 is supported until 2023 in enterprise. Wouldn't be surprised if it's
a quarter of the userbase.

~~~
miles
> Windows 7 is supported until 2023 in enterprise

Not just enterprise; even a single user can easily acquire ESU:

[https://tinyapps.org/blog/202001220700_windows_7_esu_smb.htm...](https://tinyapps.org/blog/202001220700_windows_7_esu_smb.html)

~~~
0x0
Entering credit card numbers into a _forms.office.com_ web form? Is that... a
legitimate way of handling credit cards?

~~~
wutwutwutwut
I found it mildly entertaining that the same form also instructs you to "Never
give out your password."

~~~
techslave
credit card number is always safe to give out. you have zero liability, and
the fraud detection in the backend is far far far better than what fly by
night app of the day does.

~~~
wutwutwutwut
That assumes that the the cost of troubleshooting this, replacing cards etc is
zero, which it isn't.

~~~
techslave
it’s almost zero. i am forced to replace a credit card due to theft about
every 3 years. it’s not a hassle at all.

in fact you are forced to replace your card just due to expiry every 1-4 years
depending on issuer.

------
ebg13
> _0patch became aware of the flaw thanks to a “private researcher” who wants
> to remain anonymous—that person said no disclosure was made to Zoom_

No disclosure was made to Zoom. Why? What's the point of doing that?

~~~
ziddoap
Just spitballing here, but it could be due to previous bad encounters with
Zoom, previous cases where Zoom has dismissed or downplayed an exploit, etc.
Is Zoom one of those companies that requires excessive NDA's for exploits?
That could be a factor.

I can think of a few other reasons, although it probably would have been
better to disclose to Zoom /alongside/ whoever else they thought should get
it.

~~~
mr_mitm
> bad encounters with Zoom, previous cases where Zoom has dismissed or
> downplayed an exploit, etc.

Have they?

Their disclosure policy [1] sounds reasonable and their public response [2] to
the recent accusations has been text book, if you ask me. They even hired top
industry experts (Alex Stamos, Matthew Green, etc.) and acquired keybase to
strengthen their security.

To me it looks like Zoom got lots of attention at once, and thus had lots of
security issues at once, that would not be out of the ordinary if they had
been more spread out. However, them lying to their customers about E2EE is
hard to forgive.

[1] [https://hackerone.com/zoom](https://hackerone.com/zoom)

[2] [https://blog.zoom.us/a-message-to-our-
users/](https://blog.zoom.us/a-message-to-our-users/)

~~~
ziddoap
As I mentioned, I was just stating some generic reasons why a researcher may
choose not to disclose specifically (and only) to the company in question.

------
nonfamous
On Windows 7 and earlier.

------
tpmx
Aka backdoor.

~~~
albntomat0
It’s not a particularly good backdoor as it only affects win 7 and earlier

------
techntoke
Thought people would have learned after they were caught the first time
installing backdoors and then saying they'll spy on you unless you pay them.

