The IT Nerd

Yesterday I spoke of a flaw in Zoom’s update process on the Mac:

During his talk at DefCon, though, [Patrick] Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.

Over the last 24 hours, Zoom has rolled out a fix for this. Version 5.11.5 of its Mac app is now available and you should go download this now to fix this issue. And the guy who found this issue, Patrick Wardle has effectively given this fix his stamp of approval:

So while Zoom was able to fix this quickly, I have to say that this is simply the latest security flaw that has been found in their app. Over the years I have covered flaw after flaw with Zoom. And then there’s the part about them lying about end to end encryption and getting caught doing so. What that says to me that their security processes are at best sketchy. If Zoom really want to shake their past daemons of playing fast and loose with security, then they need to make sure that stuff like this are edge cases and not common occurrences. But for now, this issue is closed. But rest assured they’ll be another one as I guarantee you that a lot of people are looking at their code looking for exploits. And not all of them will be like Patrick Wardle and tell them about what they find.

Zoom seems to be a company that can’t stay out of trouble. This time well known security researcher Patrick Wardle has disclosed a trio of vulnerabilities in Zoom’s update process. Two have been patched, but one is unpatched and Wired has the details:

During his talk at DefCon, though, Wardle announced another Mac vulnerability he discovered in the installer itself. Zoom now conducts its signature check securely, and the company plugged the downgrade attack opportunity. But Wardle noticed that there is a moment after the installer verifies the software package—but before the package installs it—when an attacker could inject their own malicious software into the Zoom update, retaining all the privileges and checks that the update already has. Under normal circumstances, an attacker would be able to grab this opportunity only when a user is installing a Zoom update anyway, but Wardle found a way to trick Zoom into reinstalling its own current version. The attacker can then have as many opportunities as they want to attempt to insert their malicious code and gain the Zoom automatic update installer’s root access to the victim device.

“The main reason I looked at this is that Zoom is running on my own computer,” Wardle says. “There’s always a potential tradeoff between usability and security, and it’s important for users to install updates for sure. But if it’s opening this broad attack surface that could be exploited, that’s less than ideal.”

To exploit any of these flaws, an attacker would need to already have an initial foothold in a target’s device, so you’re not in imminent danger of having your Zoom remotely attacked. But Wardle’s findings are an important reminder to keep updating—automatically or not.

The bigger problem with this is that yet again, Zoom has been caught with its pants down so to speak. They keep having security issue after security issue to the point where I wonder if they are playing “whack a mole” when it comes to fixing issues with their applications. At this point one has to wonder if the company takes security seriously or not. Having said that, be sure to update when a fix for this latest security issue appears.

A question a couple of my clients have called me to troubleshoot an issue that I want to bring to light. And it’s one that I have been able to reproduce rather easily.

Here’s the rundown.

If you have Zoom 5.91 or earlier installed on your Mac, and you’re running macOS Monterey 12.1 or earlier, and the Zoom app is running but not in a meeting of any sort, you’ll eventually notice that the orange dot that denotes when your microphone is in use appears in the top right corner on the menu bar. It will look like this:

One of the things that was added to macOS Monterey was a notification that lets you know when the microphone is in use. And that notification is the orange dot that you see above. And it appears that the Zoom app is apparently using the microphone. Which I confirmed by checking control center.

I tested this after reboots and in one case a reinstall of macOS and always got this result. Now to be clear, my guess is that Zoom are not spying on their users. But this isn’t a good look for Zoom regardless as many people are going to assume that they are. And in the process of researching this, I found out two things:

• First, this was supposedly fixed in version 5.91 of Zoom as per these release notes. But that apparently does not seem to be true as I was able to reproduce this numerous times on numerous macOS computers with version 5.91. This takes away Zoom’s ability to say that users should simply update to the latest version.
• Second, I am not alone in seeing this. This thread in the Zoom community along with this thread on Stackexchange details people seeing this as well. So clearly this is a pervasive problem that hasn’t been addressed by Zoom.

My advice is that you should only run the Zoom client when you actually need it until this gets addressed. Or if you’re really paranoid, use another conferencing product. As for Zoom, they’ve had their issues with security over the years. If you search my blog you will find those stories with ease. They need to step up and put this to bed quickly if they want to avoid going back to the days where trust in their product was questionable at best.

UPDATE 2/11/22: Zoom said that it has fixed the issue in version 5.9.3. But they said that in version 5.9.1 so I would only run Zoom when you need to run it to mitigate this issue should it still be present.

Zoom will have to cut a rather big cheque to the tune of $85 million to make a lawsuit related to lying about offering end-to-end encryption on its services, as well as providing user data to Facebook and Google without permission. Here’s the details:

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant “Zoombombings.”

The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a “prohibition on privacy and security misrepresentations” in a settlement with the Federal Trade Commission, but the FTC settlement didn’t include compensation for users.

I should note that Zoom has addressed a lot of these issues. And Zoom is making craploads of money. So does this really punish Zoom for their behavior? I don’t think so.

It seems that Zoom cannot stay out of the news for all the wrong reasons. This time Zoom is in hot water because Zoom issued a statement on Thursday acknowledging that the Chinese government requested that it suspend the accounts of several U.S.- and Hong Kong-based Chinese activists for holding events commemorating the anniversary of the 1989 Tiananmen Square massacre:

Recent articles in the media about adverse actions we took toward Lee Cheuk-yan, Wang Dan, and Zhou Fengsuo have some calling into question our commitment to being a platform for an open exchange of ideas and conversations. To be clear, their accounts have been reinstated, and going forward, we will have a new process for handling similar situations. 

We will do better as we strive to make Zoom the most secure and trusted way to bring people together. 

Now if you read the rest of the blog post, Zoom acknowledges that they screwed up here. And that they are going to take corrective actions:

• Going forward Zoom will not allow requests from the Chinese government to impact anyone outside of mainland China.
• Zoom is developing technology over the next several days that will enable us to remove or block at the participant level based on geography. This will enable us to comply with requests from local authorities when they determine activity on our platform is illegal within their borders; however, we will also be able to protect these conversations for participants outside of those borders where the activity is allowed.
• We are improving our global policy to respond to these types of requests. We will outline this policy as part of our transparency report, to be published by June 30, 2020.

Now that isn’t good enough for some. Three U.S. lawmakers asked Zoom to clarify its data-collection practices and relationship with the Chinese government:

Representatives Greg Walden, the top Republican on the House Energy and Commerce Committee, and Cathy McMorris Rodgers, the ranking member of a consumer subcommittee, sent a letter to Zoom CEO Eric Yuan on Thursday asking him to clarify the company’s data practices, whether any was shared with Beijing and whether it encrypted users’ communications. 

Republican Senator Josh Hawley also wrote to Yuan asking him to “pick a side” between the United States and China. 

The three politicians have previously expressed concerns about TikTok’s owner, Chinese firm ByteDance, which is being scrutinized by U.S. regulators over the personal data the short video app handles.

Seeing as this is an election year, I would not be at all surprised if Congressional Hearings were called and Zoom CEO Eric Yuan was called onto the carpet. Because if Yuan thought his blog post would put out the fire related to this latest scandal, he’d be wrong.

Zoom has been working hard to overcome their security issues over the last few months. One of the things that they needed to address is the fact that communications were not end to end encrypted, even though the company claimed that they were. The company finally admitted that this was something that needed to be addressed. And it looks like that end to end encryption is about to be lit up, assuming that you have the latest version of the Zoom app, and you happen to be a paying customer:

The company, whose business has boomed with the coronavirus pandemic, discussed the move on a call with civil liberties groups and child-sex abuse fighters on Thursday, and Zoom security consultant Alex Stamos confirmed it on Friday. 

In an interview, Stamos said the plan was subject to change and it was not yet clear which, if any, nonprofits or other users, such as political dissidents, might qualify for accounts allowing more secure video meetings. 

He added that a combination of technological, safety and business factors went into the plan, which drew mixed reactions from privacy advocates.

Now I can look at this two ways:

• It makes sense that Zoom would focus this on paying customers. After all, that is what keeps the lights on. It also gets rid of the people who are hogging resources related to the free tier of the app which likely costs Zoom money.
• Other apps like iMessage, WhatsApp, and Signal offer end to end encryption for free.

You’ll note that the plan is subject to change. I suspect that it may change based on either the blowback that they get, or if people on the free tier abandon the platform for another video chat solution en masse.

My take is that I think that Zoom is doing the right thing. Yes there’s going to be blowback from some who think Zoom should enable end to end encryption for all. But that’s really not viable in my opinion. Zoom is a business and not a charity. At some point they have to pay for all the security improvements that are going into the app. And if you want want those security improvements, you need to pay up. So I would suggest that users who are on the free tier of Zoom who want these improvements should put their money where their mouths are.

With the closure of Canadian schools over the last 10 weeks and with many not scheduled to reopen this school year, video communication technology has become an essential tool for many educators as they look to maintain the feeling of in-person classes and lessons. To help teachers, students and parents get the most out of their virtual classrooms, Zoomhas put together a number of resources and best practices designed to facilitate a smooth and secure transition to online learning.

Best practices for securing online classrooms

With security as a paramount concern for educators, parents and students alike, it’s important that teachers know exactly how to control the virtual meeting environment. Zoom has developed an online resource guide to help facilitate secure online learning sessions. Some of the top tips include:

• Lock your virtual classroom: Teachers can lock a Zoom session that’s already started so no one else can join. Give students time to join and then lock the meeting (kind of like closing the classroom after the bell!).
• Use the Waiting Room: The Waiting Room feature is one of the best ways to protect your Zoom virtual classroom and keep out those who aren’t supposed to be there. There are two options to choose from when this is in use: either all participants will be sent to the virtual waiting area, where the teacher can admit them individually or all at once; or the host can opt to have known students skip the Waiting Room and join, but have anyone not signed in/part of your school sent to the virtual waiting area. (As of March 31, the Waiting Room feature is automatically turned on by default.)
• Control screen sharing: Zoom has recently updated its settings for educational users to allow only the host (typically the teacher) to share his or her screen by default. If students need to share their screens, teachers can still give that privilege to students on a case-by-case basis.
• Lock down the chat: Much like a hawk-eyed teacher might stop a note being passed in class, teachers can restrict the chat function of Zoom so students cannot privately message others during class time.
• Other important security functions such as removing participants and securely scheduling a class are also available to teachers using Zoom to facilitate online learning. Please see all the tips on Zoom’s official blog.

Frequently asked questions – answered!
From hosting a webinar or a meeting, to properly setting up a virtual classroom for students, there are many questions teachers are looking to have answered — even if they have already started using Zoom for online teaching. Zoom has compiled a list of its top 10 virtual classroom most frequently asked questions for educational users to help teachers make the best of their online classrooms. Some of the top tips include:

• How do I share my screen? Screen sharing lets teachers present slides, videos and other content to students.
• Should I use a Zoom meeting or Zoom webinar? Webinars allow teachers to better present information in a one-to-many setting, similar to a lecture style, whereas meetings allow for more two-way flow of conversation. Which ever type of Zoom session teachers choose, they should consult the best practices for securing their online classroom.
• How do I take classroom attendance? Zoom can mimic a classroom attendance sheet by allowing teachers to review the registration report to see which students registered and attended a given class.
  

Be sure to review all the questions including how to see all your students on video, and how to host a meeting using a mobile device on the official Zoom blog and on this resource page for educators. Zoom regularly posts updates about product features and resources for users to its official blog.

Zoom and Keybase today announced that Zoom has acquired Keybase, a secure messaging and file-sharing service. The acquisition of this exceptional team of security and encryption engineers will accelerate Zoom’s plan to build end-to-end encryption that can reach current Zoom scalability. 

As members of Zoom’s security engineering function, the Keybase team will provide important contributions to Zoom’s 90-day plan to proactively identify, address, and enhance the security and privacy capabilities of its platform. Max Krohn, Keybase.io co-founder and developer will lead the Zoom security engineering team, reporting directly to Eric S. Yuan, CEO of Zoom. Leaders from Zoom and Keybase will work together to determine the future of the Keybase product. The terms of the transaction were not disclosed. 

Visit the Zoom blog for more details on the plans for building the end-to-end encryption offering. 

A blog post went up in the last 24 hours where Zoom has updated the public on its progress to improve their security. Which has you are likely aware has been found to be lacking as the popularity of the conferencing app has skyrocketed.

Besides announcing Zoom version 5.0, the company has also announced the following:

• AES 256-bit GCM encryption: Zoom is upgrading to the AES 256-bit GCM encryption standard, which offers increased protection of your meeting data in transit and resistance against tampering. This provides confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar, and Zoom Phone data. Zoom 5.0, which is slated for release within the week, supports GCM encryption, and this standard will take effect once all accounts are enabled with GCM. System-wide account enablement will take place on May 30.
• Security icon: Zoom’s security features, which had previously been accessed throughout the meeting menus, are now grouped together and found by clicking the Security icon in the meeting menu bar on the host’s interface.
• Robust host controls: Hosts will be able to “Report a User” to Zoom via the Security icon. They may also disable the ability for participants to rename themselves. For education customers, screen sharing now defaults to the host only.
• Waiting Room default-on: Waiting Room, an existing feature that allows a host to keep participants in individual virtual waiting rooms before they are admitted to a meeting, is now on by default for education, Basic, and single-license Pro accounts. All hosts may now also turn on the Waiting Room while their meeting is already in progress.
• Meeting password complexity and default-on: Meeting passwords, an existing Zoom feature, is now on by default for most customers, including all Basic, single-license Pro, and K-12 customers. For administered accounts, account admins now have the ability to define password complexity (such as length, alphanumeric, and special character requirements). Additionally, Zoom Phone admins may now adjust the length of the pin required for accessing voicemail.
• Cloud recording passwords: Passwords are now set by default to all those accessing cloud recordings aside from the meeting host and require a complex password. For administered accounts, account admins now have the ability to define password complexity.
• Secure account contact sharing: Zoom 5.0 will support a new data structure for larger organizations, allowing them to link contacts across multiple accounts so people can easily and securely search and find meetings, chat, and phone contacts.
• Dashboard enhancement: Admins on business, enterprise, and education plans can view how their meetings are connecting to Zoom data centers in their Zoom Dashboard. This includes any data centers connected to HTTP Tunnel servers, as well as Zoom Conference Room Connectors and gateways.
• Additional: Users may now opt to have their Zoom Chat notifications not show a snippet of their chat; new non-PMI meetings now have 11-digit IDs for added complexity; and during a meeting, the meeting ID and Invite option have been moved from the main Zoom interface to the Participants menu, making it harder for a user to accidentally share their meeting ID.

This all seems positive. But I would wait to see what security researchers have to say about all of this. After all, it’s those same security researchers who raised the alarm about the security issues with Zoom. Thus their opinions will really tell you if Zoom has really stepped up to the plate to fix their issues.