
Two vulnerabilities in Zoom could lead to code execution - joering2
https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html
======
Jonnax
I wonder. Are all the vulnerabilities and issues with Zoom because of its
popularity?

Everybody is using zoom these days and in my opinion it's because it has an
excellent user experience.

I'm wondering if something like Cisco WebEx is just as "broken" but everyone
doesn't have their eyes on it.

One thing for sure. We need a way to run desktop applications in isolated
containers in the same way mobile apps are run.

I joined a WebEx meeting the other day, downloading it's client. And after the
meeting a little window popped up with my next meetings.

Without permission it'd hooked into my outlook calendar.

At the the very least, we could have some sort of virtual file system that by
default applications only see.

I'm sure the capability exists in windows, because there's a mod management
tool for Skyrim I've used where it creates a virtual folder for all your
activated mods and the game itself sees that virtual folder when running.

As an aside, remember when Skype was the most popular audio/video chat app in
the world?

Or even MSN messenger?

I also remember Hangouts getting popular but then stagnating in using 100% CPU
and setting fire to your laps.

~~~
redis_mlc
> something like Cisco WebEx

So you're going to love this.

The CEO of Zoom is a former senior engineer on WebEx, funded by ex-WebEx
employees and founders.

Zoom was originally him plus 40 software engineers in China.

If I was Cisco, I'd be wondering how much code was copied into Zoom.

And if I were you, I'd be wondering why people are using an essentially
Chinese communications tool.

Zoom is not a normal US company that outsources to China - the entire
development team started in China with a San Jose "HQ" (because Cisco is based
in San Jose.)

~~~
throw554323
Eric Yuan worked for WebEx before it was acquired by a Cisco. While he was at
Cisco, he tried to improve WebEx, but none of his managers listened and he
felt they were moving to slow [1]. He left and started his own company.

He’s an American. His wife is an American. His kids are American.

1\. [https://www.cnbc.com/2019/08/21/zoom-founder-left-job-
becaus...](https://www.cnbc.com/2019/08/21/zoom-founder-left-job-because-he-
wasnt-happy-became-billionaire.html)

~~~
Sevaris
Nobody said he wasn't American. The team that made and works on Zoom is in
China though.

~~~
bamboozled
What happens if Chinese people work on it?

~~~
Jon_Lowtek
Chinese Ministry of State Security can inject a coder/sysmin who adds
vulnerabilities which are then used for espionage against
corporations/governments. The National Security Agency has done things like
that in the past, so it is safe to assume the chinese do it to.

~~~
rad_gruchalski
Playing devil’s advocate: what should the rest of the world do when using
proprietary technology from the USA, given that NSA likes to have their nose
in everything?

~~~
lifty
The software industry needs to adapt to the challenges of a fully digitized
world and at the moment things are a bit behind. The first and most important
part is to have reproducible builds and core signing, so in cases where the
source is available, people should be able to easily trace what’s in the
software they’re using and who contributed. I think this is a technical
challenge and some software ecosystems are trying to solve it (Go, Rust etc.).
The next thing that I would like to see happening is more commercial software
licenses that allow making a living from selling software but that give access
to the source. I prefer a world where I pay for software and developers can
make a living, and at the same time be able to check that the promises that
the developer makes are held.

~~~
whydoyoucare
How would code-signing help if NSA arm-twists you into introducing a backdoor
in your code? Even for open-source, it is difficult for average-Joe to trace
and figure out contributions (its like saying the automobile engine has
blueprints available, so everyone should be able to figure out what's wrong).
:-)

~~~
joering2
Arm-twist?

You know NSA is an American Agency, and America is not China - there is a free
enterprise. The only way they can "arm-twist" you is by rules and regulations
that every company has to follow. In other words - NSA cannot force you to
break the law.

~~~
jtsuken
"The FBI wanted to work out an arrangement in which the developer would
secretly feed its operatives information about Telegram’s inner
workings—things like new features and other components of the service’s
architecture that they might want to know about. The arrangement would be
strictly confidential, and they were willing to pay." source:
[https://thebaffler.com/salvos/the-crypto-keepers-
levine](https://thebaffler.com/salvos/the-crypto-keepers-levine)

~~~
joering2
Whats your point? Telegram owners are private enterprise. They could say "okay
we do it for money", or say "we won't do it because of principles".

Where is this so-called "arm-twisting" ??

~~~
Angeo34
>What is a metaphor the post

Even if it wasn't a metaphor the US has been known to physically harass people
for Software more than any other regardless of what the people did.

~~~
joering2
Us government has been _physically_ harras people for software?

Some examples please?

~~~
jtsuken
Isn't it ironic how the majority of threads on this forum currently discuss
the abuse of power of government officials and the excessive violence of
countless law enforcement agencies, while this thread abounds in commenters
conspicuously ignorant of the problem?

~~~
joering2
I'm not being ignorant. I am simply asking question - what are examples of
government physically harassing software people?

Unless what you saying is that some programmer neck was crushed for 8 minutes
because they didn't want to implement backdoor??

------
zemnmez
another day, another set of misrepresented vulnerabilities from the security
consultancy vuln mill:

1) Zoom client application chat Giphy arbitrary file write

This is not an 'arbitrary file write'. There is virtually no 'arbitrary file
write' that doesn't lead to code execution on Windows. The reason is detailed
in the report itself:

> The severity of this vulnerability is partially mitigated by the fact that
> Zoom client will append a string _BigPic.gif to the specified filename. This
> prevents the attacker from creating a fully controlled file with arbitrary
> extension.

Nobody is getting hacked by downloading a corrupt .gif file.

2) Zoom Client Application Chat Code Snippet Remote Code Execution
Vulnerability

This is not an 'arbitrary file write', as even in the most user input
intensive scenario it is restricted. It's not a 'remote code execution',
either as they clearly detail in the last paragraph:

> In summary, this vulnerability can be abused in two above outlined
> scenarios. First, without user interaction, it can be abused to plant
> arbitrary binaries on target system albeit at a constrained path potentially
> used in exploiting another vulnerability. Secondly with user interaction,
> plant binaries at almost arbitrary paths and can potentially overwrite
> important files and lead to arbitrary code execution.

The report itself _does not_ detail the actual way this reaches remote code
execution, saying only:

> This in itself could potentially be abused in leveraging another
> vulnerability.

However, they could presumably extract the exe to
%APPDATA%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, which
would cause remote code execution when the user logs in again. I would be
surprised if the reality isn't they tried this and they couldn't do it. I
don't understand why they cut this so short.

It's pretty normal for me to be able to drop an .exe in various places. That's
what happens when a website triggers a download. The important thing here is
the 'execution' of remote code execution, which they have failed to
demonstrate.

This is an endless frustration as a vulnerability researcher. Security
consultancies, trying to fish for contracts are endlessly willing to
misrepresent bugs and security issues they find as much as possible, and
there's very little accountability for this.

------
danans
PSA: Zoom has a pretty decent web only experience you can access using a
roundabout procedure:

[https://support.zoom.us/hc/en-us/articles/214629443-Zoom-
web...](https://support.zoom.us/hc/en-us/articles/214629443-Zoom-web-
client?mobile_site=true#h_d058aa08-10b5-4c9f-b029-4ce9603bb2d1)

If the Zoom native app's security is a concern for you, the arguably increased
security of your browser's environment should help.

If you are a Zoom meeting host, you can save your participants the trouble of
the procedure described above by always showing the Join From Browser link:

[https://support.zoom.us/hc/en-
us/articles/115005666383-Show-...](https://support.zoom.us/hc/en-
us/articles/115005666383-Show-a-Join-from-your-browser-Link?mobile_site=true)

~~~
humaniania
Why would you want to support a company who repeatedly takes shortcuts that
endanger their users? There are lots of other options.
[https://citizenlab.ca/2020/04/move-fast-roll-your-own-
crypto...](https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-
quick-look-at-the-confidentiality-of-zoom-meetings/)

~~~
danans
> Why would you want to support a company who repeatedly takes shortcuts that
> endanger their users?

My intention is only to inform people of an option that is more secure, but
one that for whatever reason is obscured by Zoom.

A lot of people don't have a choice but to use Zoom because it is what their
meeting host uses.

------
philh
Not a comment on the article, but the CAPTCHA before it seems weird and kind
of sketchy.

> Why do I have to complete a CAPTCHA?

> Completing the CAPTCHA proves you are a human and gives you temporary access
> to the web property.

Okay, but... why do I have to complete a CAPTCHA?

> What can I do to prevent this in the future?

> If you are on a personal connection, like at home, you can run an anti-virus
> scan on your device to make sure it is not infected with malware.

> If you are at an office or shared network, you can ask the network
> administrator to run a scan across the network looking for misconfigured or
> infected devices.

> Another way to prevent getting this page in the future is to use Privacy
> Pass. You may need to download version 2.0 now from the Firefox Add-ons
> Store.

How would a virus scan help here? I certainly hope my browser doesn't go
around advertising when I last did one of them. And how does Privacy Pass
prove I'm human, are robots unable to pretend to be Firefox plus Privacy Pass?

~~~
kop316
I'm getting the same issue. I also use CDN from cloudflare for my personal
sites...and this is making me reconsider using it.

Giving cloudflare the benefit of the doubt, what could trip this is:

1) the site is getting higher than average visits (tripping the anti-DDoS flag
for the CDN)

2) I went without javascript on, so they think I am just a bot.

EDIT: after giving it the benefit of the doubt, the captha didn't work for me
at least 4 times. That is unacceptable.

~~~
cuspycode
I got the same CAPTCHA, running Firefox 68.4.1 on Linux. Normally when this
kind of thing happens, I just close the tab and move on with my life. But this
time I tried opening with Chromium instead (version 76.0.3809.100) and then no
CAPTCHA was required. Neither browser has Privacy Pass, so why are they
treated differently?

~~~
tfigment
So you have script blocker on both and configured same way? I get captcha
requests on my firefox with umatrix due to aggressive blocking.

~~~
cuspycode
No blockers, just using the built-in privacy/incognito modes.

------
CSDude
Because of these possibilities, I prefer using my iPad Mini for meetings, and
If I have to share a screen I just join from Chrome, its screen share works
well enough and is more restricted than Zoom client. I highly recommend it if
you dont feel comfortable.

~~~
m3kw9
Maybe you shouldn’t use iOS or any OS as they all have zero day
vulnerabilities.

~~~
CSDude
Okay I will use a unikernel to dialup to the landline number from an partly
airgapped raspberry pi.

iOS sandbox is much more powerful thn macOS and the risk is significantly
reduced

------
dreamcompiler
I always use Zoom in a browser to avoid stuff like this. Zoom has repeatedly
shown itself to be an untrustworthy app by an untrustworthy vendor.

~~~
prophesi
I was able to use Zoom in the browser with my first meeting, but now it no
longer shows that option when I access a Zoom meeting URL. What do you do to
force it to let you use it in the browser?

~~~
danans
AFAICT, you need to first click on the link to install the app, taking the
first step in that direction. But then close whatever app install window that
opens, return to the invitation page, and the Join From Browser link should
have appeared.

Basically, the option to join from a browser is only shown once you first
signal intent to install the app. This procedure is described in the Zoom
docs:

[https://support.zoom.us/hc/en-us/articles/214629443-Zoom-
web...](https://support.zoom.us/hc/en-us/articles/214629443-Zoom-web-
client?mobile_site=true#h_d058aa08-10b5-4c9f-b029-4ce9603bb2d1)

The meeting host can also change a setting that allows the Join From Browser
link to be displayed without having to go through the procedure above:

[https://support.zoom.us/hc/en-
us/articles/115005666383-Show-...](https://support.zoom.us/hc/en-
us/articles/115005666383-Show-a-Join-from-your-browser-Link?mobile_site=true)

------
gravitas
The Linux client jumped from 3.5.392530.0421 to 5.0.418682.0603 at the end of
April 2020, the version outlined in this article _appears_ to have never
existed on the Linux platform.

------
devit
The title is misleading: the vulnerabilities are already fixed in the most
recent version according to the article.

------
__m
I don’t get why people didn’t drop it after that major vulnerability last year

~~~
throw554323
Same reason people didn’t drop Windows, Mac OS, Intel, and other companies
that had vulnerabilities.

~~~
noobermin
The vulnerabilities here are comparable to those reported on the OS vendors
and Intel but installing spyware is another level.

------
akulbe
Correct me if I'm wrong… but didn't this get resolved in 5.x, and this is
referring to an old version?

I was forced to update to 5.x at one point, so it seems like this is old news.

------
monadic2
I’ve had great experience with running it in a vm at the cost of screen
sharing.

------
olliej
At least they're into regular bad code bugs, rather than intentionally created
security holes, including deliberately circumventing browser security
restrictions.

So progress?

~~~
scarface74
You mean like secretly installing a web server on Macs so that if you
uninstall Zoom it reinstalls itself?

[https://www.zdnet.com/article/zoom-defends-use-of-local-
web-...](https://www.zdnet.com/article/zoom-defends-use-of-local-web-server-
on-macs-after-security-report/)

~~~
olliej
That’s what they’ve moved on from - intentionally malicious code to just bad
code. Such progress! Much wow!

~~~
snvzz
They've learned about plausible deniability.

At least, if it looks like a vulnerability, they can probably get away with
it.

