Recently, two vulnerabilities related to Zoom are circulating on Internet, that is not only exploiting clients’ information and also MMR servers. An analysis was published by a researcher from Project Zero named Natalie Silvanovich who highlighted the security flaws associated with this video streaming platform.
Zoom Vulnerabilities: The new Talk of Town
While telling about the vulnerabilities, the researcher said:
“In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user,” the researcher explained. “That said, it’s likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios.”
Silvanovich discovered two bugs in the platform:
- A buffer overflow issue that impacted both Zoom clients and Zoom Multimedia Routers (MMRs)
- Information leak security flaw central to MMR servers
Apart from this, a lack of Address Space Layout Randomization (ASLR), a security mechanism that protects against memory corruption attacks was also found.
“ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective. “There is no good reason for it to be disabled in the vast majority of software.”
These bugs are compromising the privacy of virtual meetings that are held without end-to-end encryption.
“These barriers to security research likely mean that Zoom is not investigated as often as it could be, potentially leading to simple bugs going undiscovered,. “Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it.”
While the vulnerabilities are now discovered, Zoom is working to fix them. Let’s see when the issue will be resolved.