Major security flaws in Zoom could leave your PC vulnerable
The coronavirus pandemic has left many countries on lockdown. Businesses and schools are closed down to the public leaving many isolated in their homes.
With many people working and learning from home, they have turned to video chat services such as Zoom to still get things done. However, researchers found yet another security flaws to the application that would leave your PC vulnerable.
Another Zoom security issues
Despite its popularity, Zoom has had its fair share of issues regarding its security and privacy in the past months. Most recently, two new vulnerabilities have surfaced in the platform that could potentially allow malicious users to execute codes on targeted computers.
The vulnerabilities were discovered by Cisco Talos, a cyber threat intelligence team that provides network security solutions against emerging threats.
One of the security issues, TALOS-2020-1055, is described as a “Zoom client application chat Giphy arbitrary file write exploit.” According to the researchers, a specially-crafted chat message can cause an arbitrary file write. Then later, it could be further exploited to achieve code execution on the targeted PCs.
In order to exploit the vulnerability, the attacker would send a message to a user or group of users. While only Giphy servers were supposed to be used for the feature, its content from an arbitrary server could be loaded. This means that it could then be leveraged to further leak information or even exploit additional vulnerabilities.
The other issue, TALOS-2020-1056, described as a “Zoom client application chat code snippet remote code execution vulnerability.” Cisco Talos says that in Zoom Client version 4.6.10 a path traversal vulnerability exists in a way that this version processes messages, which includes shared code snippets.
In order to exploit the vulnerability, attackers would need to create chat messages that could allow arbitrary code execution. That message could then be sent to an individual or even to a group. The targeted user would have to interact with the message for attackers to get the most severe impact from the flaw.
Zoom has aided people working and learning from home during this pandemic
It is like the world stopped when governments across the globe imposed hard lockdown to contain the spread of the coronavirus in their respective areas. And because of that, many are forced to adapt to a new arrangement – working and learning from home.
Because physical contact is impossible during this isolation, people need to work and learn while staying in the comforts of their homes. And this shift has led to a massive increase in app downloads.
In the graph above, you can see that apps related to ‘remote work’ and ‘education’ have increased to 1,457% and 1,087% respectively.
For people working from home, they would still need a tool that would help them communicate with their colleagues seamlessly, discuss business-related issues without interruption, and update the company with crucial happenings during a pandemic.
Meanwhile, students’ learning continues despite not being in a real classroom. Because of that demand, video chat service apps have seen an increase in usage since the coronavirus pandemic wreak havoc. And Zoom is one of the apps that seen explosive growth in its usage.
Zoom’s high demand since the start of the coronavirus pandemic
Late March, Zoom faced security issues involving ‘zoombombing’ where users can gatecrash calls where there are no restrictions disrupting calls. Another issue is when hackers can use the URL links in Zoom to get the users’ Windows log-in credentials.
Despite the issues, it did not affect the skyrocketing growth of the app. In fact, so far in 2020, it has added 2.22 million monthly active users. This just goes to show the demand for the app since the pandemic is very high.
While the full extent of the pandemic is still uncertain, this work/learn-at-home arrangement is still going to be implemented in the months to come. That’s why security researchers heed warning for Zoom app users for this kind of vulnerabilities.