Reading Time: 3 minutes
If you have Zoom fatigue already, prepare for more. That’s because researchers uncovered new vulnerabilities on the telecom application with the potential for some serious remote exploitation of MRR servers and clients. Zoom was recently notified. Project Zero published a security analysis on the vulnerabilities this week. Fueled by a zero-click attack against the video conferencing tool, the investigation was demonstrated live at Pwn2Own, a security conference the collaboration giant was sponsoring.
Why isn’t Zoom reviewed for cybersecurity risks more frequently?
“In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack would require multiple clicks from a user,” the researcher, Silvanovich, shared. “It’s likely not difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios.”
The Latest Zoom Bugs and Threat Factors Explained
Silvanovich identified two separate bugs. First, a buffer overflow problem impacting Zoom clients and Zoom Multimedia Routers (MMRs). And next, an information-leaking security defect key to MMR servers.
In more bad news for Zoom users, the researcher observed a “lack of Address Space Layout Randomization (ASLR).” ASLR is a security mechanism platforms leverage to prevent memory corruption attacks.
The researcher warned that ASLR is arguably the most critical mitigation in the exploitation of memory corruption prevention and that “most other mitigation methods rely on it on some level to be effective.” Silvanovich stressed that there is absolutely no reason to disable ASLR on most software.
The final outcome?
MMR servers process both audio and video call content. However, the study labeled these bugs as “especially concerning.” The researcher noted without end-to-end encryption, any compromised virtual meeting can risk call privacy, promoting unwanted eavesdropping from hackers. Zoom patched these vulnerabilities in November of 2021. However, there’s still cause for concern, here’s why:
The researcher determined that the Zoom barriers against security research lead to a lack of regular, necessary investigation—“potentially leading to simple bugs going undiscovered,” Silvanovich noted. “Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it.”
So, what now?
For years now, Zoom bombing and other security issues have been making headlines and causing havoc across the connected workforce. With the connected workforce as the new norm, it’s mission-critical to have a reliable, secure productivity and collaboration platform.