The IT Nerd

It is being reported that Zoom has disclosed multiple vulnerabilities impacting its Workplace apps, across its various platforms, that pose significant risks such as privilege escalation, denial-of-service (DoS) and remote code execution.

Jim Routh, Chief Trust Officer at Saviynt had this to say:

“Cyber professionals are considering the need for deep fake detection and prevention impacting virtual meetings today. It turns out that the software defects/vulnerabilities announced recently in Zoom Workplace are far more critical at this time.

DoS and remote code execution vulnerabilities have the potential for significant business disruption with the potential for ransomware exploits. Software resilience for enterprise software companies is achievable with more maturity in the development process to identify and remediate race conditions.”

Erich Kron, Security Awareness Advocate at KnowBe4 follows with this:

“Given the number of people that use and rely on Zoom for their organizations’ day-to-day activities, this type of flaw could be very significant. Deepfake audio and video have already been an issue, and in this case having a Zoom meeting initiated from a legitimate account could be the difference between a person believing the caller and not believing them. Fortunately, in this case, exploiting is not something that can be done easily remotely, so physical access is required. However, it demonstrates what may be possible with other future vulnerabilities that could be remotely exploited. Due to the proliferation of deepfakes and live action scams, as opposed to just email phishing, organizations would benefit from ensuring their HDR program includes a focus on ways to ensure the caller is legitimate.”

This is really not good. Now that these are out there, threat actors will be trying to exploit those who do not update ASAP. And that’s the key to keeping safe. If you use Zoom, you should update your Zoom client ASAP.

There was a scary Zoom vulnerability that you might want to pay attention to:

In June 2023, a vulnerability in Zoom Rooms was discovered. This vulnerability had the potential to allow an attacker to claim a Zoom Room’s service account and gain access to the victim’s organization’s tenant. As a service account, an attacker would have invisible access to confidential information in Team Chat, Whiteboards, and other Zoom applications.

But the good news is that it was fixed:

Following several conversations with the Zoom team, the vulnerability was validated and promptly remediated. To mitigate this issue, Zoom removed the ability to activate Zoom Room accounts.

But it highlights the risks posed by cloud services. Basically, you have to trust that the provider of the cloud service has their security on point. Allen Drennan, Principal & Co-Founder, Cordoniq adds these thoughts:

This is just another example of why organizations who are security conscious need to consider the ramification of utilizing public cloud-based services for their internal collaboration. Online retail video conferencing companies are often slow to respond to security threats, leaving large numbers of customers vulnerable to cyber threats. Having complete control over the implementation of the solution, including how user account access is administered and managed within the solution, is critical to data privacy.

The good news is that this specific vulnerability was addressed by Zoom. The bad news is there might be more out there that we don’t know about. And that’s concerning.

I updated to macOS Sonoma recently and so far so good. Except for this pop up that would appear when I am using Zoom:

From an Apple perspective, I know what is happening. In macOS Sonoma, Apple made a bunch of changes to make sure that apps aren’t accessing things they shouldn’t, of doing things that they shouldn’t. This is one of those changes. In short, Zoom is trying to access something that the operating system thinks it should not have access to. And as a result it is prompting you to allow it or not. This also implies that Zoom has been doing this for a while and macOS Sonoma has caught them out.

If you want to go into the weeds on these changes in macOS, this article is worth reading. Specifically the section called “Security and Privacy | Application Data Protection”.

In my case, I have said “Don’t Allow” every single time that this prompt has appeared. As far as I can tell, there has been no noticeable effect in terms of how Zoom operates. My perception is that Zoom is just asking because it wants the data for its own purposes and not to provide me with any useful functionality. But I don’t know that for sure as Zoom hasn’t said anything that I can find online in terms of what it wants access to and more importantly why. Until Zoom does say something substantive, I will continue to click on “Don’t Allow”. And if you get this prompt, you should click “Don’t Allow” as well.

Given Zoom’s rather questionable history with security and privacy, it would be in their interest to say something about this sooner rather than later. Otherwise, this will be treated with the suspicion that Zoom is up to something shady. I would like to think that Zoom doesn’t want to be seen that way. Thus they will comment on this in detail quickly.

Over to you Zoom.

Zoom has announced an AI companion which bills itself as Zoom’s generative AI product. From the press release:

AI Companion reinforces Zoom’s vision to deliver limitless human connection on one platform, empowering people by increasing their productivity, enhancing their skills, and improving team effectiveness. Zoom also announced today that Zoom IQ for Sales, its conversational intelligence software, will be renamed Zoom Revenue Accelerator.

Since Zoom introduced generative AI in early June, thousands of companies have benefited from free trials of Team Chat compose and Meeting summary. Beginning this fall, Zoom will significantly expand its generative AI offering across its platform with the launch of AI Companion, at no additional cost with paid Zoom user accounts. 

Zoom’s federated approach to AI delivers high-quality results and lowers costs by dynamically incorporating its own large language models, along with third-party models such as Meta Llama 2, OpenAI, and Anthropic.

Rooted in this unique approach, Zoom AI Companion delivers powerful, real-time digital assistant capabilities to help users improve productivity and work together more effectively. Zoom customers can expect to see AI Companion throughout the entire platform, from Meetings, Team Chat, Phone, Email, and Whiteboard, with additional features on the roadmap.

Sounds great right? But Allen Drennan, Principal & Co-Founder, Cordoniq has a different view:

The advancements in AI capabilities, while truly revolutionary, are moving much more rapidly than the pace of regulation that is required.  While there are clear benefits to generative AI assistance in collaborative communications, organizations need to understand that the process of building the generative AI is based upon customer provided content, and is quite often kept in the cloud outside of the control of the organization.  For sensitive internal communications, companies may be inadvertently providing a blueprint to their own proprietary information and intellectual property to other companies, without realizing they have provided consent. They need to be cautious about how this information may be utilized and what information is provided to third-party products.

Any use of AI needs to be tightly managed, otherwise bad things will happen. Thus it’s no wonder why companies like Samsung have banned AI use. It also might explain why Zoom is giving this away to paying customers. You might want to consider that before you jump on board if you’re a Zoom customer.

From the “what a hypocrite” department comes a leaked all hands meeting with Zoom CEO Eric Yuan said this:

“Quite often, you come up with great ideas, but when we are all on Zoom, it’s really hard,” Zoom CEO Eric Yuan told workers during an August 3rd meeting. “We cannot have a great conversation. We cannot debate each other well because everyone tends to be very friendly when you join a Zoom call.

“Besides the idea that innovation is better fostered in person, Yuan said office work is important because it builds trust among employees.

“Trust is a foundation for everything,” he said. “Without trust, we will be slow.”

So let me get this straight. Yuan claims that you work better in person versus on Zoom. Despite the fact that he’s the CEO of Zoom who made remote work a “thing” during the pandemic. That blows my mind and I have to wonder how anyone at Zoom can sell Zoom licenses with a straight face now that this is out there.

Now I have plenty of clients who are remote working and not only has the world not imploded, they’re thriving. So in short, he’s wrong and I have to wonder how many people at Zoom are currently looking for other jobs because of Yuan’s stance.

UPDATE: Allen Drennan, Co-Founder & Principal, Cordoniq had this comment:

“Instead of trying to use generic or legacy conferencing products, businesses should be investing in immersive solutions that integrate into their workflow and have the elements and touch-points that allow their distributed workforce to interact in a way that is the same as being in the office.”

Something that blew up in the world yesterday is an accusation that Zoom is using customer data to train its AI with no option to opt out. This Tweet (or X? seeing as Twitter is now X) is an example of this: 

To verify that accusation, I went looking for their terms of service and found them here: https://explore.zoom.us/en/terms/

This is the verbiage that is at issue: 

You consent to Zoom’s access, use, collection, creation, modification, distribution, processing, sharing, maintenance, and storage of Service Generated Data for any purpose, to the extent and in the manner permitted under applicable Law, including for the purpose of product and service development, marketing, analytics, quality assurance, machine learning or artificial intelligence (including for the purposes of training and tuning of algorithms and models), training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof, and as otherwise provided in this Agreement.

This looks bad and appears to confirm the accusation. But Zoom doesn’t see things that way. Here’s a link where Zoom pushed back on these claims: 

https://blog.zoom.us/zooms-term-service-ai/

Specifically:

For AI, we do not use audio, video, or chat content for training our models without customer consent.

And if you read the whole document, it talks about two Zoom features that use AI:

• Zoom IQ Meeting Summary
• Zoom IQ Team Chat Compose

And Zoom goes on to say this:

When you choose to enable Zoom IQ Meeting Summary or Zoom IQ Team Chat Compose, you will also be presented with a transparent consent process for training our AI models using your customer content. Your content is used solely to improve the performance and accuracy of these AI services. And even if you chose to share your data, it will not be used for training of any third-party models. 

The blog post shows that a lot of these features are turned off by default. I’ve confirmed this with a couple of my clients who use Zoom, which confirms what Zoom is saying. But this blew up because so many other companies have been caught collecting user data to train AI. And the way that the way that the terms of service is written doesn’t help to give users of Zoom any other view than Zoom is doing the same thing. I am tempted to give Zoom a pass on this one. But given Zoom’s past history when it comes to security and other issues, Zoom really has to demonstrate that they are trustworthy 100% of the time.

UPDATE: Allen Drennan, Co-Founder & Principal, Cordoniq provided me with this comment:

When private organizations are uploading internal confidential information and IP into a meeting, they are not considering the ramifications of providing their data to a third-party provider that is managed in a cloud they do not control. The issue is not just limited to shared screens or multi-page confidential shared documents. It is also extended to recordings of the meetings and the audio and video used within the meeting. When implementing these types of online meeting services, you really must have control over both security and privacy but also the entire deployment including the backend and your organization should be in a legal position to provide your own terms of service and license agreement to your consumers.

Since the start of the pandemic, Zoom has exploded in popularity as a means to communicate. But threat actors are latching onto that to advance their goals. Take this email for example:

It looks well crafted and seems like something that could come from Zoom. But look closer and you’ll see that it isn’t from Zoom. Starting with this:

This isn’t a Zoom email address as Zoom uses zoom.us as their domain. So right out of the gate, this is a red flag. Now I will say that unlike most phishing scams that I come across, the English in this email is decent. I guess threat actors are finally learning that their English needs to be on point if they have any hope of scamming someone. But what hasn’t changed is a call to action to get you to do what they want. Specifically this:

Please take note that your account will continue to be inactive until you install the security app. We’re sorry for any inconvenience this may cause.

If you think that you can’t use Zoom until you install this “Security App”, then you’re more likely to click on “Install Security App”. Which by the way you should not click on that. But because I am a trained professional, I did. And here’s what I got:

Now I have to admit that the threat actors spent a lot of time and effort making this look just like something that Zoom would do. But a closer look shows that this isn’t a Zoom web page:

Again, Zoom’s domain for web and email is Zoom.us. Thus this is another red flag. And to reinforce the fact that they want you to do what the threat actors want, there’s this:

This makes me think that this scam is aimed at companies who use Zoom rather than individuals as those are all features that companies use. Also, you’ll notice that the quality of the English falls apart here.

I’m pretty sure that if you click download, you’ll get some malware. Let’s find out by taking a Windows 11 virtual machine and trying to install it just for giggles. I recorded the install process for you to view.

Now I did compare this to the real Zoom installer and the install process is identical. The only thing that jumps out at me is the version number, which is version 5.13.5 (12053). The latest version that I am aware of for Windows is 5.13.10 (13305) which makes this slightly older. I also noted that Microsoft Defender didn’t stop this. I also ran this by VirusTotal and it didn’t flag this as suspicious either. That implies that this is a novel attack of some sort which makes this extremely dangerous. I am going to investigate this further and I will update you with my findings. But in the meantime, I have reached out to Zoom and submitted all of this information so that they can put an end to this. But until they do, I would not only watch out for this threat if it hits your inbox, I would send this out far and wide to make sure nobody gets hit with this as clearly this threat is dangerous.

UPDATE: You can read my analysis of this threat here.

Yesterday I spoke of a flaw in Zoom’s update process on the Mac:

During his talk at DefCon, though, [Patrick] Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.

Over the last 24 hours, Zoom has rolled out a fix for this. Version 5.11.5 of its Mac app is now available and you should go download this now to fix this issue. And the guy who found this issue, Patrick Wardle has effectively given this fix his stamp of approval:

So while Zoom was able to fix this quickly, I have to say that this is simply the latest security flaw that has been found in their app. Over the years I have covered flaw after flaw with Zoom. And then there’s the part about them lying about end to end encryption and getting caught doing so. What that says to me that their security processes are at best sketchy. If Zoom really want to shake their past daemons of playing fast and loose with security, then they need to make sure that stuff like this are edge cases and not common occurrences. But for now, this issue is closed. But rest assured they’ll be another one as I guarantee you that a lot of people are looking at their code looking for exploits. And not all of them will be like Patrick Wardle and tell them about what they find.

Zoom seems to be a company that can’t stay out of trouble. This time well known security researcher Patrick Wardle has disclosed a trio of vulnerabilities in Zoom’s update process. Two have been patched, but one is unpatched and Wired has the details:

During his talk at DefCon, though, Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.

“The main reason I looked at this is that Zoom is running on my own computer,” Wardle says. “There’s always a potential tradeoff between usability and security, and it’s important for users to install updates for sure. But if it’s opening this broad attack surface that could be exploited, that’s less than ideal.”

To exploit any of these flaws, an attacker would need to already have an initial foothold in a target’s device, so you’re not in imminent danger of having your Zoom remotely attacked. But Wardle’s findings are an important reminder to keep updating—automatically or not.

The bigger problem with this is that yet again, Zoom has been caught with its pants down so to speak. They keep having security issue after security issue to the point where I wonder if they are playing “whack a mole” when it comes to fixing issues with their applications. At this point one has to wonder if the company takes security seriously or not. Having said that, be sure to update when a fix for this latest security issue appears.