New Zoom flaws discovered and published; update your video conferencing apps

The developers of the Zoom video conferencing platform announced the release of updates to address some security flaws in the Linux client. Successful exploitation of this flaw would have allowed threat actors to access the vulnerable system, read and extract data from users, as well as run malware disguised as a reliable application thread. 

Mazin Ahmed, a researcher who assisted in finding these flaws, mentions that Zoom also exposed a poorly configured instance and had not received updates in nearly a year, so the application could still be exposed to uncorrected flaws exploitation. Ahmed notified his finding to the company, which published the corrections a few days ago.

One of the attacks described by Ahmed targets Zoom Launcher for Linux, which could allow threat actors to run unauthorized software: “The whitelist of applications can be circumvented to run malware as a reliable thread, which represents a bad security practice,” the researcher says. 

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es zoom1008202001.jpg
SOURCE: Mazin Ahmed

In another similar scenario, a malicious hacker with access to the target system could access the user’s confidential information, including messages stored in plain text. Other potential attacks are related to a weak authentication service and a TLS/SSL issue that would allow custom logs to be injected into the local Zoom database.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es zoom1008202002.jpg
SOURCE: Mazin Ahmed

Ahmed’s report continues highlighting a memory leak vulnerability by exploiting the profile picture feature in Zoom to load a malicious GIF, download the rendered file, and extract its metadata to expose parts of the system memory.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es zoom1008202003.png
SOURCE: Mazin Ahmed

Although Ahmed believes this is a consequence of a known flaw in ImageMagick image conversion software (CVE-2017-15277), Zoom ensures that the utility is not used to convertfs loaded as profile images in JPEG format.

Zoom removed the exposed Kerberos authentication server to prevent brute force attacks, as well as implementing other solutions to address the lack of encryption when storing chat logs.

While most potential attacks depend on threat actors having previously compromised the target user’s device, specialists recommend that you do not ignore updates. The findings were presented in DEF CON 2020.