Video conferencing provides an easy way for remote and distributed teams to connect efficiently across offices and time zones to get work done. Countless companies rely on web conferencing apps, such as Zoom, for daily collaboration. That’s why news of recent vulnerabilities in the Zoom web conferencing client, gave us cause for concern.
Zoom’s recent vulnerabilities enabled potential attackers an easy way to gain access to users’ computers by remotely taking over their computer webcams and initiating video-enabled calls on devices without user consent.
This sets the stage for an unknown and potentially malicious third party to activate users’ webcams and gain access to their systems via any Zoom links simply by sending users fake links to join video calls. Attackers could potentially record video and audio without a subject’s knowledge, or worse, by repeatedly joining users to phony calls, even launch a denial of service (DOS) attack against a Zoom user and potentially gain access toa large number of devices via a remote code execution vulnerability.
Zoom: The anatomy of vulnerability detection and response
Our Field Effect team typically encounters a new vulnerability from available threat intelligence resources and immediately pose the questions:
- What can we detect from our Covalence solution endpoint data?
- What can we detect from our Covalence solution network data?
In the case of the Zoom vulnerabilities, defined as CVE-2019-13449 and CVE-2019-13450, these were relatively easy to answer by installing and analyzing the behaviour of the application. However, what made the Zoom vulnerability interesting was it created a debate on reporting vulnerable software vs risky software. More on that to come.
Not just Mac: Beware of Zoom running on Windows
Our initial focus was detecting and reporting on the vulnerability that forces users into Zoom calls, without their consent, and activates webcams. This involved identifying Mac endpoints with Zoom and/or the webserver installed in customer computers. We soon made the decision not to exclude the Windows operating system from our analysis. Fueling this, several credible information security sources also claimed that an unreported remote code execution vulnerability (which was reported to be true) existed in Zoom. The remote code execution was eventually reported as CVE-2019-13567.
Here are descriptions of the three Zoom vulnerabilities:
CVE-2019-13450: This is an information disclosure vulnerability in which users may be forced into a Zoom call with their video camera activated. This vulnerability impacts both the Mac and Windows versions of Zoom, and could be leveraged via email or by tricking the user into visiting a malicious website. In either case, embedded HTML code will forcibly start recording users through their webcam. This is made even easier for the attacker through Zoom’s options to record separate audio and video for each video conference participant.
CVE-2019-13449: This is a vulnerability in the Mac Zoom client in which an attacker could launch a DOS attack on users by repeatedly forcing them into joining an invalid call (in this case, via a malicious website). To enable easy re-install, Zoom initializes a background web server on the client machine without the user’s knowledge. The identified webserver will also stay installed even if the user uninstalls the Zoom client. This was allegedly a design choice by Zoom, focused on usability vs security, to enable users to communicate via the chat application by reinstalling the client application (without permission) if the user joined a Zoom session.
CVE-2019-13567: This is a remote code execution vulnerability in the covertly installed Zoom web server on Mac clients (known as ZoomOpener). The vulnerability may allow an attacker to execute arbitrary code on a user’s device via a crafted link or malicious website (similar to CVE-2019-13449 above)
In the case of Windows clients, we also made these observations:
Users of Chrome accessing Zoom links will be greeted with a Zoom launch prompt. However, if the user has selected to always launch Zoom, this prompt will not appear.
Users of other browsers accessing Zoom links will be prompted with the download of an arbitrary executable and will need to run it in order to complete the launch of a Zoom conference. While this might interrupt the seamlessness of an attack, there is still a risk of users opening the executable through carelessness or clever social engineering by an attacker.
How do you fix the Zoom vulnerabilities?
We provided our customers with the direction below to fix the Zoom vulnerabilities:
- If Mac clients on your network have installed Zoom software, update this software to version 4.4.2 or higher
- If Zoom is not mission-critical to your business, consider removing the application from all workstations and servers.
- If Zoom is mission-critical to your business, consider the following steps:a. Disabling both audio and video when launching Zoom: Settings -> Video -> Turn off my video when joining meeting AND Settings -> Audio -> Always mute microphone when joining meeting.)b. Instruct employees to ensure that Zoom calls are made directly through the Zoom interface vs through links in email.c.Ensure that Zoom is not set to always run in Chrome when links are clicked.
The following screenshot illustrates step 3 – A, disabling the video:
Vulnerable software or risky?
Unfortunately, Zoom set the stage for a security risk by attempting to improve the customer experience of joining Zoom meetings by reducing the number of clicks. While it may be faster to join meetings, to do this required installing a local web server onto computers that install the Zoom app and bypassing security measures such as a dialogue box confirming whether users want to join a new meeting.
From our analysis, we believe the Zoom web conferencing app represents a privacy risk for users and organizations relying on the software. This also illustrates a design decision that was focused on product usability vs security.
Although Zoom has now issued an emergency patch, Field Effect team wants to ensure customers and partners are aware of the situation so caution can be observed.
Field Effect: New detection analysis for you
The cycle of disclosure, detection, and notification is endless when it comes to cyber threats. This demands superior threat detection, monitoring, and analysis capabilities for business networks.
Here at Field Effect, we constantly strive to improve our products with new detection analytics and inform our customers of suspicious activity and business risk. One example is a recent capability that enables our team to reference software-installed endpoints against vulnerability databases to alert customers of the outdated and potentially vulnerable software. We also have developed analytics to detect and alert on known and potentially risky software, including remote administration tools and Virtual Private Network (VPN) software.
Do you have questions about vulnerable or risky software on your network? Or detection solutions for these threats? Our Field Effect team can provide advice. Reach out to us today at [email protected].
- Zoom – Bug Bounty Writeup
- Zoom Lets Websites Start Filming You Without Your Consent, Even on Windows