Cisco Talos researchers recently uncovered two new flaws in Zoom that could allow attackers to execute arbitrary code on users’ computers, according to research published Wednesday.
Zoom has partially fixed the vulnerabilities, according to Cisco Talos. The cybersecurity company said it worked with Zoom on addressing the flaws.
It’s the latest set of security bugs discovered in Zoom, a teleconferencing company whose software has come under heightened scrutiny in recent months as the coronavirus pandemic forced people around the world to telework and rely on videoconference platforms. Competitors include Cisco WebEx, Microsoft Teams, and GoToMeeting.
Zoom fixed one of the issues, dubbed TALOS-2020-1056, in May, . And while Zoom addressed the other flaw, dubbed TALOS-2020-1055, in a server-side update, Cisco Talos’ Jon Munshaw said in a blog he believes that a client-side update will be necessary to fully mitigate any risk.
Zoom claimed in a statement shared with CyberScoop that it updated the bugs in April.
The first flaw, TALOS-2020-1056, affecting Zoom Client version 4.6.10, relates to how Zoom processes messages.
“The core of this vulnerability is that Zoom’s zip file extraction feature does not perform validation of the contents of the zip file before extracting it,” Talos researchers write. “[I]n case of a shared code snippet, Zoom will proceed to automatically unpack the downloaded zip file in order to preview and display the snippet.”
Prior to the fix, if attackers sent a specially crafted message to individuals or groups, the vulnerability could be triggered, according to Talos. This can allow attackers to implant malicious files on victim computers, without any user interaction.
If users interact with the files they receive, for instance by downloading them, the attacker can send further malicious files, according to Talos.
The second flaw relates to how the Zoom client processes messages that contain animated GIFs, which could also be abused to execute arbitrary code.
End-to-end encryption debate
This is just the latest security headache for Zoom. For months, the San Jose, California-based company has been working to address numerous security and privacy flaws in its products, from an issue that allowed uninvited users to disrupt other people’s calls — colloquially known as “Zoombombing” — to an issue that could have allowed attackers to steal some users’ passwords, which has since been fixed.
But the information security community is still not satisfied with how the company has chosen to implement end-to-end encryption, a feature that would protect users’ communications from outside parties, including from Zoom.
The company previously falsely advertised that it was providing users end-to-end-encryption, even though Zoom could still access unencrypted video and audio from meetings. Now, the company’s founder, Eric S. Yuan, is saying that the company will provide end-to-end encryption only to paying or corporate customers, leaving customers who use the free version of Zoom without that standard of privacy and security.
The company says it has decided to leave those customers without end-to-end encryption, for now, because Zoom wants to provide information on free customers’ communications to law enforcement in case they commit crimes.
“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said on a conference call Tuesday, according to Bloomberg.
According to the Electronic Frontier Foundation’s Associate Director of Research, Gennie Gebhart, the company should be doing more to protect users who can’t afford their paid offering.
“[S]pinning it as ‘bad things happen on free accounts’ strikes me as paternalistic and unconcerned about other user groups who need [end-to-end encryption] protection,” Gebhart said in a tweet. “You heard that right, activists, journalists, organizers, and cash-strapped non-profits of the world: Zoom [could] offer you best-practice security, but it won’t, because you might be a child pornographer. Better luck next time.”
Former Facebook executive Alex Stamos, whom Zoom recently onboarded to help address security issues, told Reuters in an interview that the current plans are subject to change.