I remember Flash
Is Zoom the new "Flash player" of security vulnerabilities?
Zoom fixed a pair of privilege escalation vulnerabilities, which were detailed at the Black Hat conference this month, but that patch was bypassed, necessitating yet another fix. Patrick Wardle, cybersecurity researcher and founder of Objective-See, talked about the two macOS Zoom client vulnerabilities at Black Hat, both of …
Given that it is software that the majority of people must have installed and use regularly today, just like Flash was back in the day, I suppose so.
It pays to spend your efforts trying to find holes in more widely distributed software. There might be holes in AutoCAD big enough to drive a truck through, but with 0.1% of the population having it installed it isn't worth the effort for the typical black hat to look for holes in it.
That's also why you see Google and Apple constantly patching Chrome and Safari security issues. The browser is a huge target of opportunity because everyone uses the web.
It is depressing that years keep ticking by, and no one has become any better at writing secure software. If anything, things are worse today than when we started making fun of Adobe's constant patching of Flash.
If we went back to MS-DOS and ran just one program at a time, it would be a lot easier (there were still viruses, but they were mainly propagated by floppy-net). Multi-tasking systems will always present a harder challenge. At a basic level, allowing a PC access to a network is a vulnerability.
The demand for the internet browser to be the all-dancing UI is an almost impossible attack interface to defend. Personally, I lock my browser (Safari, by default) down as tight as I can, whilst still being able to achieve what is needed.
In most cases, vulnerabilities are not the result of carelessness, or even incompetence (unless we expect those providing software to be 100% perfect (I know that's a tautology - but it's deliberate to emphasise a point)) - they're a fact of life, just as biological viruses are.
MS-DOS did let some programs run concurrently, though not as we now think of it. And if you don't have some degree of this, every program has to implement al its own drivers, which is just another source of bugs as anyone who worked with peripherals more complicated than mouse and keyboard should remember.
The comparison with modern runtimes and Flash is misleading. The Flash runtime was insecure almost by design, which is why it was so difficult to secure. Modern exploits are increasingly targetting esoteric side effects of what is generally well written code.
As a result I think browsers are reasonably secure and only run things like Zoom in them rather than installing a separate app.
Agreed. I'd also add that 20 years ago you had kids doing it for fun, now it's both a major moneyspinner for organised crime AND a hugely effective weapon for Governments - many examples, but the DNC email hack put Trump in power which did huge damage the US, internally and externally.
The fact you're not seeing more hacks is testament to the huge increase in awareness and effort at all layers in the software stack.
SOME modern exploits may target side effects of well written code in the really carefully crafted ones (like the amazingly complex NSO exploit against the iPhone that required at least five separate exploits chained together and undoubtedly represented millions in R&D)
But you still see plenty of the out of bounds memory writes and poor input validation issues that have been around since the Morris Worm. You only need to look at all the security patches for Chrome and Safari to see that those old school exploits are still very much alive and kicking, even if there have been some more esoteric ones added to the collection - which are mostly for new target types i.e. there's little need to use side channel attacks against a single user device like a phone. But if you want to attack something running in a hypervisor - which 30 years ago was a mainframe only thing - that's the way attackers have adapted to what was once considered nearly impenetrable security.
If you believe that nothing is monitoring you then please book an appointment with a psychiatrist to help you avoid problems in the future... is that a joke or is it simply the way everything works these days? I'm not pissed about this, I'll have a beer and then stop in the loo before I leave the pub to eliminate any beer monitoring risks (OK, that's a joke).
> If you believe that nothing is monitoring you
If there is money to be made, it is bound to happen. Never mind people thinking "I'm too unimportant for them to bother", most plankton organisms are so small they're barely visible, yet they feed huge whales! It's the quantity that makes the difference, a million nobodys are well worth a much rarer somebody.
I find it unbelievable that a company as large as Zoom couldn't even patch an externally disclosed flaw properly on the first release. Doesn't the word 'release' have any meaning in terms of testing and quality to Zoom?
Missing an exploit, sure, it happens. But the initial flawed patch release should entail a consequence to the senior manager who signed off the release.
You might want to apply for that job.
I'm not a fan of Zoom, or "video conferencing" in general for that matter, and it doesn't have a great track record in security. But getting this right, especially once the software had been released is often harder than you think.
As users we also have the choice to run this kind of thing in the browser, which does give an extra layer of protection. And credit should go to Google, Firefox and others for: improving the plugin architecture in general; adding WebRTC to browsers to make plugins even less required.
No, permissions are fine-grained for things like microphone and camera. Technically, anything that has real access to hardware has the godlike powers of root. But there is a difference between permission being given on a per process basis and running as root. That said, I removed Zoom fairly quickly from my system once I realised it couldn't be installed for a single user only.
From the Verge
https://www.theverge.com/2022/8/12/23303411/zoom-defcon-root-access-privilege-escalation-hack-patrick-wardle
Patrick Wardle states
The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.
When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as Zoom’s signing certificate would be enough to pass the test—so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.
And people look at me crazy when i tell them to disable all auto-update functionality in any program for corporate deployment. BEFORE it hits the desktop. Why go to that trouble - they think?
1 - Buggy updates. You wanna wipe out the company with one fouled update that leaves the program stone dead, removes critical functinality, is a known vulnerable or hoses the PC? Go ahead.
2 - Buggy updaters. Seems like this is the poster child. But it can just be that it doesn't realise the user does not have privlidges to actually perform the update. Or just that they site their consuming memory. The worst updaters have a process for each user that logged on to the PC!