[Thread]
The kind folk at http://www.cyber-itl.org shared a new @zoom_us security issue with me.
I want to take this opportunity to describe:
The issue
How Zoom et al should fix it
How purchasers should identify it before corporate purchasing
What individuals should do
1/
-
Show this thread
-
Zoom has been in the news for security issues a lot lately. I’m choosing to share this info because Zoom has been very good in responding to security researchers and security problems. It is apparent they care now... but how bad is their security deficit? Let’s quantify 2/
1 reply 11 retweets 79 likesShow this thread -
To avoid adding to the FUD let me state this up front: If you use Zoom at home for personal reasons to remain connected to loved ones during the pandemic - that’s very important. You should probably continue using the product. Hopefully Zoom will update and improve. 3/
4 replies 19 retweets 108 likesShow this thread -
CITL took a look at the Linux Zoom software and frankly it is surprisingly security deficient. I mean *surprisingly* deficient!
@m0thran did the analysis I’m about to share. (You should follow him) Let’s quantify the issue and then show what to do about it. 4/8 replies 27 retweets 98 likesShow this thread -
The Linux Zoom binary is 42M (!), is at /opt/zoom/zoom, and version is 3.5.383291.0407. It lacks so many base security mitigations it would not be allowed as a target in many Capture The Flag contests. Linux Zoom would be considered too easy to exploit! How do we know? 5/
4 replies 58 retweets 156 likesShow this thread -
CITL uses their own software tools that aren’t open source (yet), you can find free software with a subset of their checks. The Linux checksec shell script works fine for this. Notice the binary lacks DEP/ASLR/Canaries/Fortification/RO section orders [
@wdormann image] 6/pic.twitter.com/UA2mYM6L0g
3 replies 16 retweets 108 likesShow this thread -
The absence of these basic security and safety attributes make make the application exceedingly easy to exploit. I’ll show coding vulnerabilities in a bit). Disabling all of them is impressive. Perhaps Zoom using a 5 year out of date development environment helps (2015). 7/
5 replies 8 retweets 83 likesShow this thread -
It’s not hard to find vulnerable coding in the product either. Here’s an example of grabbing an untrusted environment variable and handing it to the insecure popen(3) function for execution [
@m0thran ] There are plenty of secure-coding-101 flaws here. 8/pic.twitter.com/D2FadPn1OD
6 replies 14 retweets 99 likesShow this thread -
This is a bit embarrassing, but I struggle to consider the impact of the "vulnerability". In particular where does the attacker need to be to exploit it, and what did they gain that they didn't already have? I can set my own HOME and then run Zoom, which spawns the app I specify?
2 replies 0 retweets 2 likes -
Please see my response to
@tehjh1 reply 0 retweets 2 likes
That's fair. While this itself isn't a vulnerability, sniff tests are a real thing.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.