Zoom Zero-Days For Sale: Critical RCE at $500,000

Another day, another Zoom dumpster fire. This time, we get news of a “critical” Remote Code Execution (RCE) exploit being sold, plus a second nasty infosec bug.

One 0day is for the Windows Zoom client, and the other 0day is for macOS. The first is for sale at a mere $500,000.

Zoom can’t seem to catch a break. In today’s SB Blogwatch, we wonder if things are as bad as they seem.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: more translations.


ZM RCE 0day X2

What’s the craic? Lorenzo Franceschi-Bicchierai reports—“Two Zoom zero-days, one for Windows and one for MacOS, on the market.”:

 Two critical vulnerabilities … are currently present in Zoom’s Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. … 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets.

“[The Windows zero-day] is nice, a clean RCE,” … said one of the sources, who is a veteran of the cybersecurity industry. “Perfect for industrial espionage.” … Remote Code Execution exploits are the most sought after bugs, as they allow hackers to break in without having to rely on the target falling for a phishing attack, for example. … The MacOS bug is not an RCE, making it less dangerous.

The U.S. Senate has … advised government agencies not to use Zoom, citing “high risk” to privacy. [There have been] a series of privacy issues affecting Zoom.

“Zoom takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them,” the company said in a statement. “To date, we have not found any evidence substantiating these claims.”

Is $500K a lot? Eric Geller—@ericgeller ponders a “mere” half a million:

 I would have expected a Windows Zoom zero-day to sell for more than this, honestly.

But Sergiu Gatlan compares and contrasts—“Exploit for Zoom Windows zero-day being sold for $500,000”:

 While there is no fixed price for exploits abusing this type of security flaws, some exploit acquisition platforms such as Zerodium pay exploit developers between $2,000 to $2,500,000. … The $500,000 price tag attached to this exploit might be justified [but] the exploit requires the potential attackers to be in the same call as the target which drastically reduces its value.

Zoom was affected by a series of issues since the start of 2020, having to patch a security vulnerability in January that could’ve enabled attackers to identify and join unprotected Zoom meetings. … These privacy and security issues affecting Zoom … come on the heels of a sharp increase in new monthly active users … after being adopted as the default video conference platform by millions … working and learning from home during the pandemic.

I feel we’re reading more and more about how Zoom has bad security. Rae Hodge summarizes thuswise—“Here’s a timeline of every security issue”:

 You can start from the bottom and work your way up to the most recent information.

April 14: Suit filed against Facebook and LinkedIn …
April 14: New privacy option [only] for paid accounts …
April 13: 500,000 Zoom accounts sold …
April 10: Pentagon restricts Zoom use …
April 9: Senate to avoid Zoom …
April 9: Singapore teachers banned from Zoom …
April 9: German government warns against Zoom use …
April 8: Fourth lawsuit …
April 8: AI Zoombomb …
April 7: Taiwan bans Zoom from government use …
April 6: Some school districts ban Zoom …
April 6: Zoom accounts found on the dark web …
April 6: [EPIC] urging an FTC investigation …
April 6: Third class action lawsuit filed …
April 5: Calls “mistakenly” routed through [China] …
April 4: Another Zoom apology …
April 3: Zoom video call records left viewable …
April 3: Zoom apologizes, again …
April 3: Second class action lawsuit filed …
April 2: Automated tool can find Zoom meetings …
April 2: Data-mining feature discovered …
April 1: SpaceX bans Zoom …
April 1: More security flaws discovered …
April 1: Apologies from [CEO Eric] Yuan …
March 30: … Zoom doesn’t use end-to-end encryption …
March 30: More bugs discovered …
March 30: First class action lawsuit filed …
March 30: Classroom Zoombombings reported …
March 26: … sending user data to Facebook

Ironically, gweihir is impressed:

 The amount of incompetence is staggering. … It really seems that Zoom has managed to mess up everything with regards to security.

All too typical for current day software-“engineering” though. This mess has to stop.

Can you say “dumpster fire”? Apparently, politeruin can:

 Zoom is a dumpster fire of privacy and security violations, and why I will not use it. Trying to convince others not to is like screaming into the void. ‘But you can change your background to the bridge of the enterprise!’

An organisation I’m involved with has moved over to zoom from slack for video conf because of slack’s limit to how many users can join a call. But zoom is just rotten garbage with a privacy policy full of weasel wording.

I wonder where the bugs are? Natalie Silvanovich—@natashenka—has a feeling:

 I peeked at the Android client this weekend, and it uses a ~6-year-old branch of WebRTC. So I have a feeling where these bugs might be.

Users continue to pay the price for WebRTC lacking a clear update strategy for native integrators until recently.

What should we do? Charlie Osborne effects some advice: [You’re fired—Ed.]

 The simplest way to prevent unwanted attendees and hijacking is to set a password for your meeting. Passwords can be set at the individual meeting, user, group, or account level for all sessions.

When creating a new event, you should choose to only allow signed-in users. … Do not allow others to join a meeting before you, as the host, have arrived. … Once a session has begun … ”lock” your meeting as soon as every expected participant has arrived. … Disabling the ability for meeting attendees to share their screens is worthwhile.

Choose a randomly generated ID for meetings when creating a new event. … The Waiting Room feature is a way to screen participants before they are allowed to enter a meeting. … Be careful with the file-sharing feature. … If you find that someone is disrupting a meeting, you can kick them out under the “Participants” tab.

As security issues crop up and patches are deployed or functions are disabled, you should make sure you have the latest build.

To which president says words—the best words:

 This reminds me of the complex privacy controls that Facebook had that ended up making me delete my account. These things should be secure by default.

Meanwhile, this Anonymous Coward suggests a suggestion:

 Maybe it’s about time the western world … get together and stop using Chinese software like Zoom and TikTok, especially when the former erroneously claimed to be an end-to-end encrypted service.

And Finally:

More fun from Chris Cohen

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Brian CA Neumann (cc:by-nd)

Featured eBook
Identifying Web Attack Indicators

Identifying Web Attack Indicators

Attackers are always looking for ways into web and mobile applications. The 2019 Verizon Data Breach Investigation Report listed web applications the number ONE vector attackers use when breaching organizations. In this paper, we examine malicious web request patterns for four of the most common web attack methods and show how to gain the context and … Read More