Video conferencing provides an easy way for remote and hybrid teams to connect efficiently across offices and time zones to get work done. Countless companies rely on web conferencing apps, such as Zoom, for daily collaboration. That’s why news of vulnerabilities in the Zoom web conferencing client gave us cause for concern.
Zoom’s vulnerabilities gave potential attackers an easy way to gain access to users’ computers by remotely taking over their computer webcams and initiating video-enabled calls on devices without user consent.
This sets the stage for an unknown and potentially malicious third party to activate users’ webcams and gain access to their systems via any Zoom links by sending users fake links to join video calls.
Attackers could potentially record video and audio without a subject’s knowledge. Worse, by repeatedly joining users to phony calls, attackers could launch a denial of service (DOS) attack against a Zoom user and potentially gain access to a large number of devices via a remote code execution vulnerability.
Investigating the Zoom vulnerabilities
Our team typically encounters a new vulnerability from available threat intelligence resources and then poses the question:
- What can we detect from our Covalence data?
In the case of the Zoom vulnerabilities, defined as CVE-2019-13449 and CVE-2019-13450, this was relatively easy to answer by installing and analyzing the behaviour of the application. However, what made the Zoom vulnerability interesting was it created a debate on reporting vulnerable software vs risky software.
Beware of Zoom running on Windows
Our initial focus was detecting and reporting on the vulnerability that forces users into Zoom calls, without their consent, and activates webcams. This involved identifying Mac endpoints with Zoom and/or the web server installed in customer computers.
We soon made the decision not to exclude the Windows operating system from our analysis. Fueling this, several credible information security sources also claimed that an unreported remote code execution vulnerability (which was reported to be true) existed in Zoom.
The remote code execution was eventually reported as CVE-2019-13567.
A deep dive into the Zoom vulnerabilities
CVE-2019-13450
CVE-2019-13450 is an information disclosure vulnerability in which users may be forced into a Zoom call with their video camera activated. This vulnerability impacts both the Mac and Windows versions of Zoom and could be leveraged via email or by tricking the user into visiting a malicious website.
In either case, embedded HTML code will forcibly start recording users through their webcam. This is made even easier for the attacker through Zoom’s options to record separate audio and video for each video conference participant.
CVE-2019-13449
CVE-2019-13449 is a vulnerability in the Mac Zoom client in which an attacker could launch a DOS attack on users by repeatedly forcing them into joining an invalid call (in this case, via a malicious website).
To enable easy re-install, Zoom initializes a background web server on the client machine without the user’s knowledge. The identified webserver will also stay installed even if the user uninstalls the Zoom client.
This was allegedly a design choice by Zoom, focused on usability vs security, to enable users to communicate via the chat application by reinstalling the client application (without permission) if the user joined a Zoom session.
CVE-2019-13567
CVE-2019-13567 is a remote code execution vulnerability in the covertly installed Zoom web server on Mac clients (known as ZoomOpener). The vulnerability may allow an attacker to execute arbitrary code on a user’s device via a crafted link or malicious website (similar to CVE-2019-13449)
In the case of Windows clients, we also made these observations:
- Users of Chrome accessing Zoom links will be greeted with a Zoom launch prompt. However, if the user has selected to always launch Zoom, this prompt will not appear.
- Users of other browsers accessing Zoom links will be prompted to download an arbitrary executable and will need to run it in order to complete the launch of a Zoom conference. While this might interrupt the seamlessness of an attack, there is still a risk of users opening the executable through carelessness or clever social engineering by an attacker.
How to fix the Zoom vulnerabilities
There are steps you can take to fix the Zoom vulnerabilities. Consider the following:
-
- If Mac clients on your network have installed Zoom software, update this software to version 4.4.2 or higher
- If Zoom is not mission-critical to your business, consider removing the application from all workstations and servers.
- If Zoom is mission-critical to your business, consider disabling both audio and video when launching Zoom; instructing employees to ensure that Zoom calls are made directly through the Zoom interface and not links in email; ensuring that Zoom is not set to always run in Chrome when links are clicked.
Just a vulnerability or real risk?
Zoom attempted to improve the customer experience by reducing the number of clicks needed to join meetings. Unfortunately, this also set the stage for a security risk.
While it may be faster to join meetings this way, it required installing a local web server onto computers that install the Zoom app and bypassing security measures such as a dialogue box confirming whether users want to join a new meeting.
From our analysis, we believe the Zoom web conferencing app represents a privacy risk for users and organizations relying on the software. This also illustrates a design decision that was focused on product usability, not security.
Although Zoom issued an emergency patch, we want to ensure customers and partners are aware of the situation so caution can be observed.
New detection analysis for our clients
The cycle of disclosure, detection, and notification is endless when it comes to cyber threats. This demands superior threat detection, monitoring, and analysis capabilities for business networks.
Here at Field Effect, we constantly strive to improve our products with new detection analytics. We also regularly inform our customers of suspicious activity and business risks. Do you have questions about vulnerable or risky software on your network? Or detection solutions for these threats? Reach out to us today.
