Zoom might not be the safest video conferencing tool after all since cybersecurity researchers recently found out two bugs that attack its servers. According to the experts, these vulnerabilities target both clients and MMR servers, in particular. However, just recently, the company activated the ASLR after patching.
'Zero-Click Attack' Bugs on Zoom
According to an analysis conducted by Project Zero's Natalie Silvanovich, the video calling platform contains security flaws. Based on the probe, they were inspired by zero-click exploitations during the Pwn2Own demo.
Silvanovich disclosed that the two vulnerabilities targeted Zoom Multimedia Routers (MMRs) and Zoom clients. There was another one in the form of an MMR server data leak.
"In the past, I hadn't prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user," Natalie explained.
She added that it's not that difficult to carry out an attack that would convince a user to join a Zoom video conference that requires many clicks. These open some possibilities for the organizations that often use the platform for meetings.
As such, the researcher noticed that the Address Space Layout Randomization (ASLR) was missing. This important security component will shield the system against memory interruptions.
Moreover, Silvanovich wrote that ASLR is very important in stopping the potential exploitation of memory corruption. She also concluded that there was no clear reason why it should be disabled in the first place.
Silvanovich admitted to not completing the full attack chain on Zoom. Regardless, she was highly suspicious that it's possible to happen in the hands of a "determined attacker" who has more time and "sufficient investment" in his/her hands.
Related Article : Google Bans Zoom App Over Security Vulnerabilities: Why Is It Not Safe To Use Zoom?
Security Vetting on Zoom is Difficult
Per ZDNet's report, Zoom activated ASLR after it patched the said vulnerabilities last November 24, 2021. However, there's another thing that worries the Project Zero team.
According to the security experts, Zoom has a "closed" nature, which makes them more difficult to conduct security vetting. This is because the videoconferencing tool excludes WebRTC and other open-source components.
Silvanovich pointed out that these challenges posed on Zoom hinder their investigation of these bugs. She believed that the platform could improve its accessibility for security analysts who want to check its security flaws and other aspects.
Why Zoom Poses Dangers to Users
In 2020, Tech Times reported that the New York authorities probed the teleconferencing app following reports that it allegedly sold users' details to third-party platforms. In addition, Zoom also faced allegations regarding the presence of trolls and strangers during meetings.
At that time, Zoom CEO Eric Yuan responded to these accusations and stated that they were aware of the complaints. After noting the importance of customer privacy, he wrote that they were thinking of eradicating FB SDK in their Apple-based client.
Last year, we also wrote that some cybersecurity consultants were worried about Zoom's screen-sharing feature. According to them, this feature could leak users' confidential information without them knowing.
This article is owned by Tech Times
Written by Joseph Henry