[HN Gopher] Zoom zero-day discovery
___________________________________________________________________
Zoom zero-day discovery
Author : alexrustic
Score : 416 points
Date : 2021-04-09 11:56 UTC (11 hours ago)
(HTM) web link (blog.malwarebytes.com)
(TXT) w3m dump (blog.malwarebytes.com)
| socrates1998 wrote:
| Shit. I have to use Zoom for meeting with clients on an iMac,
| what should I do to keep my computer safe?
| treesknees wrote:
| It's not as though this is being actively exploited in the
| wild. Just keep your Zoom app updated.
| jtdev wrote:
| Is it just me, or does $200k seem far too low for this? I
| understand that the reward was paid by the event, not Zoom... but
| it seems to me that Zoom should "pony up" some additional funds
| for this research.
| disgruntled101 wrote:
| You are always free to sell the hacks for their """actual"""
| market value on the black market. Of course you need to launder
| the money, you might get jailed, you might have to flee the
| country and so on but at least you get your fair rate.
| amoshi wrote:
| You're overcomplicating, Zerodium exists.
| wffurr wrote:
| Or sell it to the NSA (or insert your national intelligence
| service here) as a defense contractor, which some might call
| your "patriotic duty".
| alwayseasy wrote:
| You need to setup as a defense contractor (and jump through
| all the hoops) just so you can sell a Zoom zero-day and
| realize the NSA will give you 50k?
| cosmodisk wrote:
| I doubt the rates are that good tbh..
| 14 wrote:
| A lot of the time we see someone getting like 10k. Also 200k is
| over 3 years my wage so I have to say no it does not seem low
| to myself but to others perhaps that is a low number but I
| value things differently. I hold high morals so I would not
| ever just sell an exploit to "the bad guys" so realistically I
| was never going to get the most money for said exploit so it is
| not all about money.
| rvz wrote:
| > Is it just me, or does $200k seem far too low for this?
|
| For two researchers, that sounds like a lot. $100k each in less
| than a week for this bug sounds just rightly priced.
| renaudg wrote:
| There is most likely much more than a week of work behind
| this.
| jdmichal wrote:
| This is one of those "$10 for the hammer hit, $49,990 for
| knowing where to hit it" situations.
| [deleted]
| esnard wrote:
| Very few bounty programs offer that much for a single
| vulnerability. I'm not saying it's worth $200k, but $200k is
| definitively a huge payout in the security industry.
| tyingq wrote:
| I can't tell much from the gif, but perhaps. RCE for anyone
| that runs Zoom, or RCE for anyone in a meeting you're in or
| something else?
| brundolf wrote:
| Isn't it standard practice not to disclose a vulnerability at all
| (not just hiding the "technical details") until it's been
| patched? Why is this being made public?
| floatingatoll wrote:
| Pwn2own operates under a different banner than the 'standard
| practice' described.
| idiotsecant wrote:
| What percentage of these kind of exploits does hn think are found
| by these kind of white hat exercises and what percentage are
| sitting out there in an intelligence service or private entity's
| 0-day database? I have always been curious.
| degenerate wrote:
| A wild guess is 3:1 (3 working 0-day exploits in existence for
| every 1 found with exercises like this). My reasoning is
| because every time there is a very high-priced bounty on an
| exploit, it seems to get discovered and pay out. So if
| governments and blackhats have people hunting full time for
| these exploits, you better bet they are finding them too.
| comboy wrote:
| If I were running an agency...
|
| You don't have to find many zero days. Just have enough. Huge
| backend of tools and network of contributors surely helps, but
| if 0-day is gone in Zoom, and say you don't have their explicit
| cooperation (which you totally can have) and you only have one,
| then it may not be such a worry if it is commonly used with
| other software that you can own.
|
| Besides that, there are tiers of 0-days, some of which you
| would not touch unless the target is exceptionally valuable and
| you did some homework with oh-just-a-common-malware to learn
| about their system and response.
|
| There is no system that is secure. There may be systems that
| are obscure. But if they would be targeted they can be owned
| with easy because they are not popular and security is really
| really hard.
|
| This is not just crazy talk anymore, it's reality. It's enough
| to watch CVEs, think what you could do if you exploit them
| silently and what that allows you to do in the future. Watch
| them not only for abstractions on top, but for whole tons of
| firmware running both on your machine and machines that you
| trust. Oh and certificates... It's just too easy. Way too easy.
| jchw wrote:
| Not related, but: the other day I joined a Zoom call for the
| first time. I had no interest in using a native client, but when
| you first try to join the call and Zoom tries to download the
| client, Microsoft Edge warned me that it was "harmful to my
| device". For once SmartScreen and I are in agreement.
| spinny wrote:
| Not surprising. I just wonder how trivial is to exploit it and if
| it's not one of many "honest mistakes" that some companies
| sometimes commit. Some trivially exploitable and very reliable
| stack overflows on some routers come to mind ...
| marshmallow_12 wrote:
| give zoom some slack, critics. At least they honour their
| bounties, unlike Apple.
| https://news.ycombinator.com/item?id=26664714
| sneak wrote:
| Zoom's dark patterns trying to get you to install the app on your
| system (which demands administrator privileges, natch) are reason
| enough to resist ever running unsandboxed software from them.
| Their continued history of major security issues (remember that
| time that they had a local webserver offering RCE by design as
| part of the desktop client) is even more.
|
| Their browser app does not have feature parity; recently I had to
| participate in a conference and the browser version fucked up my
| camera's aspect ratio, a problem that doesn't exist in their full
| client. A burner laptop was required, and was wiped immediately
| after.
|
| Avoid Zoom whenever possible. Don't ask others to use it.
| wffurr wrote:
| "Makes calls safer". It fixes this particular no user input RCE
| vulnerability, but how many others remain? If this type of
| vulnerability is present at all in Zoom, then it stands to reason
| more wait to be discovered by sufficiently motivated attackers.
|
| These things shouldn't end with a bounty for the researcher and a
| patch by the vendor. It should end with a root cause analysis and
| a plan to fix that type of vulnerability across the entire app,
| or better yet, the whole industry via a research paper.
| nightcracker wrote:
| Yes, Zoom calls are now safer in the sense that the nuclear
| missile program got safer when the nuclear launch codes were
| changed from 0000000. Except in Zoom's case there isn't a human
| sitting in between the nuclear device and the world wide web.
| rijoja wrote:
| Oh the link actually says that it is not patched. So now
| everyone with an interest in nuclear devices knows that the
| code is something really easy to guess. The silver lining in
| this moving the nuclear warning system a few minutes closer
| to 12 is that the guy who pointed it out got a bonus and a
| raise!
| wffurr wrote:
| " does not affect the browser version" at least they weren't
| able to combine this with a browser security flaw to escape the
| JS sandbox.
| La1n wrote:
| What makes you assume no RCA will be done?
| wffurr wrote:
| I should clarify: _public_ RCA.
|
| Is $200k enough to motivate a company like Zoom to do an RCA
| after something like this? Maybe? I personally doubt it but
| don't have any real reasoning for it one way or another.
| swiley wrote:
| I'm still upset they try to force you to use their plugin.
| These would be less scary if it were jst a web app.
| wasyl wrote:
| They do? I don't have any plugin installed and use Zoom in
| Firefox without major issues
| BlueTemplar wrote:
| Lol, I forgot that it could even be run in a web browser!
| ISL wrote:
| You can force it to use a web app by declining permission to
| run locally.
|
| The web-app has fewer capabilities (no gallery view, last I
| used it), but works great.
|
| Also, Meet is fully-featured and runs entirely in-browser.
| kiwijamo wrote:
| Meet performs quite poorly with large number of
| participants (the tipping point being around 10 or so for
| me) in a meeting. I tried various browsers and found Chrome
| to be the worst performer and surprisely Firefox was
| somewhat better but still needed a refresh every now and
| then. Macos on a 2017 MacBook. This is one of many reasons
| keeping my $employer on Zoom. We just haven't found a
| decent video conferencing software that manages 25+ videos
| flawlessly. I know of colleagues using Teams successfully
| but many people we meet with outside our organisation
| expects Zoom nowdays. I suspect any alternative will have
| to be very good to take over Zoom as the preferred
| platform. That has yet to appear.
| tweetle_beetle wrote:
| I've wondered whether things like the gallery view
| limitation were actual technical hurdles, or just the
| modern equivalent of nagware to boost the app download
| metrics.
| ISL wrote:
| At the start of the pandemic, the web client had gallery
| view.
| Asraelite wrote:
| Is the lack of a gallery view a genuine technical
| constraint, or an artificial one introduced to get users to
| use the plugin?
| Steltek wrote:
| False dichotomy. There's a (likely) third option where
| they do not have sufficient engineering effort to do
| everything at once. Most users are on the app so that's
| where effort is applied. Yes, this means the webapp loses
| even more market share but thems the breaks.
| dhosek wrote:
| Given that Facebook _removed_ functionality from the
| mobile web view that was present in earlier versions and
| is still there in the desktop view (messages, cough), I
| think that it 's a very fair question to raise about
| Zoom's choice to not allow gallery view in the web app.
| Steltek wrote:
| Putting aside that Zoom is not Facebook, "Zoom's choice
| to not allow gallery view" sounds very much like, "How
| long have you been beating your wife?" Zoom has not
| implemented gallery view. We know nothing about the whys,
| hows, and whats of the matter.
|
| Look, I prefer webapps when possible and keep mobile apps
| to a very minimum on my mobile (and preferably from
| F-Droid, at that). But I also understand that you can
| only do so much in a release and if your engineering team
| expertise, backlog, users, sales, EVERYTHING, is centered
| around native apps. Then damn it, you're going to make
| your native app look stellar because otherwise your
| competitors will get a leg up over you.
| dreamcompiler wrote:
| I can still get FB Messages in the mobile web view by
| telling my browser to use Desktop view and ensuring the
| URL starts with "www" rather than "m." It's painful but
| it works.
|
| I deleted the FB app from my phone years ago (with
| difficulty because Samsung makes it undeletable by non-
| hackers) because the app gives FB far too much info about
| me.
| mark4o wrote:
| On macOS my experience with Zoom in the browser is that the
| gallery mode works in Chrome, however in Chrome it has
| problems with the camera (it reports that the camera is in
| use, or will hog the cpu and work at about 1 frame per
| second). On Firefox the camera works fine, but there is no
| gallery mode. On Safari the gallery mode and camera both
| work, but audio does not work! So I need to choose whether
| to do without video, audio, or gallery mode, or I can
| connect to the meeting twice with two different browsers.
| jefftk wrote:
| The web client now has gallery view
| jacquesm wrote:
| Yes, but they keep pushing the binary anyway.
| albntomat0 wrote:
| > These things shouldn't end with a bounty for the researcher
| and a patch by the vendor. It should end with a root cause
| analysis and a plan to fix that type of vulnerability across
| the entire app, or better yet, the whole industry via a
| research paper.
|
| I'm unsure (and open to discussion) on which classes of bugs
| make that possible. My initial thought is that finding a stack
| overflow bug (to randomly choose a bug class) results in "don't
| goof up memory", which is technically correct, but not actually
| useful in finding others of that class.
|
| In this hypothetical, maybe the result would some combination
| of accessing programming language choice, programming practice,
| and testing tooling? Can't say those are a silver bullet
| though.
| AndyMcConachie wrote:
| I sometimes wonder if we're destined for a world where software
| companies decide they should employ QA staff. Or if we're
| destined for a world where the majority of QA gets oursourced to
| competitions.
| dreamcompiler wrote:
| Software companies used to have QA staff. But developers said
| "we can write our own tests and you can get rid of those
| expensive QA people who we hate" and here we are, in the land
| of forever-crappy software.
|
| It's our own damn fault for becoming over-reliant on CI to find
| all the bugs.
| Oddskar wrote:
| I squarely put this in the same compartment as "my code is
| self documenting". I've only seen management and devs who are
| less than stellar argue against having QAs.
| oefrha wrote:
| Related, the two other $200k entries from Pwn2Own 2021:[1]
|
| - DEVCORE targeting Microsoft Exchange in the Server category
| (The DEVCORE team combined an authentication bypass and a local
| privilege escalation to complete take over the Exchange server.)
|
| - The researcher who goes by OV targeting Microsoft Teams in the
| Enterprise Communications category (OV combined a pair of bugs to
| demonstrate code execution on Microsoft Teams.)
|
| It would be kind of funny if Slack had one too...
|
| [1]
| https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021...
| Rendello wrote:
| I wonder if the OS world will move towards lightweight but
| unforgiving sandboxing like OpenBSD's `pledge` and `unveil`
| system calls. It's crazy to me that most software is still
| completely fine to run around and set things as fire the
| instant it's compromised!
|
| This is about the implementation in the SerenityOS but it's my
| favourite explanation so far:
| https://awesomekling.github.io/pledge-and-unveil-in-Serenity...
| saddlerustle wrote:
| iOS, Android and ChromeOS are already there. But for exploits
| targeting Exchange or Teams it's far from a perfect solution
| because valuable private information is in the app being
| compromised.
| brundolf wrote:
| Most desktop OSes came about (or at least have their roots
| in) a pre-internet world, where you install software from
| discs you purchased at the store, or if you're feeling gutsy,
| from media your friend hands you in real-life. They assume
| you have a great amount of trust in every piece of code you
| run on your computer (and anyway, how will malware exfiltrate
| your data without an always-on network connection?).
|
| Things like Windows Defender and Snap and the recent macOS
| hardening efforts are patchwork solutions to try and cope
| with the modern world, but they'll never really be enough
| because these systems can't be fundamentally re-thought; they
| have to keep doing everything everybody already expects them
| to do. Only brand new OSes really get the chance to do things
| right, and only the mobile ones really had the opportunity to
| gain wide adoption.
| nightpool wrote:
| Just last week we were talking about a zero-click bug in
| Apple Mail (https://mikko-kenttala.medium.com/zero-click-
| vulnerability-i...) that didn't even need to bypass Apple's
| built-in sandboxing--simply overwriting Mail.app's config
| files was enough to trigger a devastating information
| disclosure.
| TwoBit wrote:
| I don't see how the large majority of security problems could
| be solved by any OS design. Human failures would just account
| for 95% of breaches instead of the current 85% (made up
| numbers). Not saying the OS improvements aren't useful
| nevertheless..
| HappyTypist wrote:
| Good design can dramatically reduce, if not eliminate, most
| human vulnerabilities.
|
| For example, phishing sites would be radically less
| effective if passwords are not a thing, and everyone logged
| in using hardware keys (e.g. Yubikeys) which
| cryptographically prevent phishing.
| xvector wrote:
| See Qubes. Your compromised app can't do much without a Xen
| hypervisor zero-day.
| theobeers wrote:
| Yet another (relative) win for the browser environment:
|
| "We also know that the method works on the Windows and Mac
| version of the Zoom software, but does not affect the browser
| version."
| junon wrote:
| I don't think this is the right conclusion to jump to. Browsers
| have a mountain of issues in their own right.
| theobeers wrote:
| Of course they do. I have in mind the choice that we're often
| given these days, between a native (or pseudo-native) desktop
| app and an in-browser version with comparable functionality.
| Perhaps I should have been clearer about that in my earlier
| comment.
| hvis wrote:
| And an order of magnitude more security researchers trying to
| poke holes in them, too.
| tyingq wrote:
| We don't know much about the RCE. It may have been able to do
| something in the browser, with more effort, especially given
| that the "native app" here is an Electron app. Perhaps they
| stopped once they saw they had done enough for the $200k
| bounty.
|
| Edit: Not an electron app.
| [deleted]
| jcelerier wrote:
| > It may have been able to do something in the browser, with
| more effort, especially given that the "native app" here is
| an Electron app.
|
| Zoom is a C++ / Qt app
| tyingq wrote:
| Ah, thanks. I was fooled by the presence of an Electron SDK
| from Zoom.
| BlueTemplar wrote:
| Oh, really?! But then, why does it suck so much at "window
| management" (especially the "chat" feature) ??
| jrockway wrote:
| I don't think Qt has ever pretended to look native. I
| remember using KDE back in the early 2000s and most Qt
| apps that didn't explicitly integrate with KDE didn't
| look "native" either. The other desktop OSes are not even
| internally consistent -- look at Windows's "settings" vs.
| "control panel". Which one is native? The answer is they
| both are, sort of, but there are simply two UI kits
| bundled with the OS. One is deprecated, the other isn't
| ready yet. Qt is not going to solve that problem for you.
|
| (I'll also point out that even if you have a
| Win32ChatWidget in the library, that doesn't many anyone
| is going to use it. Zoom simply did a bad job
| implementing chat, which is why it's so bad. The UI
| toolkit library is neither the problem nor the solution.
| Caring about making chat good is the solution.)
| de6u99er wrote:
| It is being sold as if everybody ditched a bullet, while nobody
| can be 100% certain that this vulnurability has not been alreqdy
| exploited.
| twobitshifter wrote:
| We were told that the keybase acquisition was going to lead to a
| more secure Zoom. It appears we're still waiting to see that come
| to fruition.
| walrus01 wrote:
| Zoom is entirely banned at the two companies that are my day job,
| and probably 90% of partners. If you do any work adjacent to
| anything that's ITAR controlled you should also not be surprised
| to see the same policy from partner companies. This has been in
| place for quite some time since the initial security problem that
| was so egregiously bad apple had to resort to using the malware
| removal tool to remove zoom's binaries from Macos clients.
|
| Entirely aside from their many past security holes which have
| been handled poorly , they have straight up lied about end to end
| crypto and what exact crypto it's using. That's before we get
| into the ownership of the company, its management and the
| location of most of the developers.
| astrea wrote:
| Do these issues hold true for the FedRAMP'd "Zoom For
| Government"?
| count wrote:
| No, but that's not available to anybody but the govt.
| neither_color wrote:
| I think we're a bit naive in the west and most often assume
| good faith from certain other business cultures. We're not used
| to companies that engage in calculated perfidy that have their
| sorry prepared long before you've discovered the problem. To
| put another way, "It's better to ask for forgiveness than to
| ask for permission", or to beat around the bush even more: I
| disagree with Hanlon's razor.
| whimsicalism wrote:
| > I think we're a bit naive in the west
|
| How does the West have anything to do with this? Moreover,
| the West is the birthplace of the "move fast and break
| things" ideology.
| HaggardFinical wrote:
| So people contributing to western business culture don't act
| exactly like Mark Zuckerberg? There's a lot of this stuff in
| "the west" too.
| dzonga wrote:
| I use the zoom web client, never the desktop app. I prefer
| everything to be via the browser since it provides good
| sandboxing. Up until we have good sandboxing mechanisms via
| OS's - it will be the browser for me.
| fukmbas wrote:
| For some reason my fortune pays for Teams but has all of their
| big meetings on zoom. Makes no fucking sense and I would rather
| not have to download their app.
| TwoBit wrote:
| As if other vendors are certainly more secure. Those bans seem
| more based on media exposure than known technical facts and
| evaluations.
| sitzkrieg wrote:
| this was the case here too, but just yesterday got on a usaf
| hosted zoom that said 'gov' and hosted in CONUS so they seem to
| have some offering at least DoD is ok with now, appears to only
| be fedramp
|
| https://www.zoomgov.com/
| HappyTypist wrote:
| Note that the DoD Authorization only covers Zoom for _public_
| , not even FOUO, data.
|
| For sensitive data, only Cisco and Microsoft are allowed.
| sitzkrieg wrote:
| yes of course, good point to emphasize it's probably never
| going to even reach CUI approval lol
| alexrustic wrote:
| See also ZDNet article about this:
|
| _Critical Zoom vulnerability triggers remote code execution
| without user input_
|
| https://www.zdnet.com/article/critical-zoom-vulnerability-tr...
| dathinab wrote:
| Seems fair, through "less insecure" would be generally more
| appropriate (independent of it being Zoom).
|
| But then I have lost all trust in Zoom due to the history
| involved with it. And I also don't thing Zoom will regain the
| trust, because due to the way they lost trust again and again and
| also acted in-honest it's pretty hard for them to convey that
| they changed (instead of just pretending they did).
| jacquesm wrote:
| Same here, zoom is on our 'ban' list. And MS teams is getting
| there, what a load of crap that is, it is so buggy it is
| embarrassing.
| _nickwhite wrote:
| My biggest gripe about Teams is what a memory hog it is. Mine
| is currently sitting idle (been on vacation all week) at
| nearly 1GB. Compare this to Zoom, which is idling at just
| over 100MB. Teams is literally taking up 10 times more RAM
| than Zoom just running in the background.
| DangerousPie wrote:
| I have never used Teams but is 1GB of memory usage really
| an issue in 2021, when most laptops have at least 16-32
| gigs of memory? It's been years since the last time I
| actually worried about how much memory some software on my
| laptop was using.
| HaggardFinical wrote:
| "2021, when most laptops have at least 16-32 gigs of
| memory"
|
| Oh man, I'd love to live in the wonderland where you
| posted this comment from.
| ad404b8a372f2b9 wrote:
| Most laptops do not have 16-32gb of ram, even in the
| high-end range.
| PurpleFoxy wrote:
| 16gb is the standard high end spec, 32gb is the extreme
| edition which usually costs a fortune and is impossible
| to convince your company to buy, especially if multiple
| people need them.
|
| On 16GB I was constantly running out of memory at work.
| It's not just 1GB it's 1GB times all the other crap you
| need running.
| reaperducer wrote:
| _is 1GB of memory usage really an issue in 2021_
|
| It isn't if you're on a laptop from 2021. But that vast
| majority of people aren't. Companies don't provision new
| computers to their employees every time a new computer
| comes out. At the companies I've worked for, the minimum
| refresh time is 3-5 years, depending on tax laws, and
| financial ability.
|
| It's also not a big deal if the computer is only used for
| Zoom. Most people, whether office drones or developers,
| run many programs at once.
| mdaniel wrote:
| In isolation, maybe not, but I don't get paid to have
| chat clients or screen share apps run, I get paid to add
| features or remove bugs from the bazillions of
| microservices and associated spa, which under ideal
| conditions requires running them locally. Every byte
| consumed by something useless is not a tradeoff I
| endorse.
|
| That "ram is cheap and plentiful" is also seriously not
| true for Mac laptops, which both caps how much one can
| expand them and also charges unreasonable rates for the
| additions they do allow
| twobitshifter wrote:
| In Microsoft's defense Teams is an electron (or
| electronesque) app and offers quite a bit more than Zoom in
| terms of features. The fact that it uses so much RAM is
| expected when you consider it as another copy of chrome.
| [deleted]
| InitialLastName wrote:
| It boggles me to no end that Microsoft is switching to
| electron apps even for Windows. You would think that they
| could write native applications that wouldn't sacrifice
| stability, performance or functionality the way Teams
| does for their own operating system.
| _underfl0w_ wrote:
| "Expected" != "Acceptable" though, IMHO.
| slaymaker1907 wrote:
| Try disabling GPU acceleration. It seems to speed things up
| a lot for some reason.
| chollida1 wrote:
| I get that your just some random internet person but I'll bit
| and assume I'm not being trolled.....
|
| what's so bad about team's security that its almost on your
| ban list?
| netsec_burn wrote:
| Why do you assume you are being trolled? And the last
| wormable, zero click RCE in Microsoft teams was only 4
| months ago.
| chollida1 wrote:
| > Why do you assume you are being trolled?
|
| Well I did say I assume I'm not being trolled so I'm not
| sure what you're referring to. As a teams user I asked a
| good faith question to try and flesh out her reasons for
| considering banning Teams.
|
| But to give you a reason why someone might assume a troll
|
| - random internet stranger
|
| - Microsoft mentioned, some people just don't like them
| as a company
|
| - no actual reason given, just a comment with zero
| supporting evidence.
|
| How many more reasons would you like?
| dhosek wrote:
| Exactly. I run zoom on my iOS devices because it's hard to
| avoid and at least there's the combination of stricter
| sandboxing/less critical material on the device, but I refuse
| to run it on my computers because there's so much bad history
| with the company I don't feel I can trust them.
| alphabet9000 wrote:
| likely not the same situation, but its interesting zoom has a
| client uri scheme zoommtg:// and just a year or so ago a CVE [0]
| popped up that involved using the irc:// scheme to demonstrate a
| calculator opening using mIRC.
|
| [0] https://proofofcalc.com/cve-2019-6453-mIRC
| vthallam wrote:
| Can we please edit the headline. This sounds disingenuous, a more
| appropriate headline would be something like "critical
| vulnerability in Zoom Video Calls that would have put millions of
| users at risk has been found".
|
| This feels like a straight up PR piece.
| rijoja wrote:
| Seconded! Only a PR person would dream of saying that a 0 day
| exploit is a good thing. I expect that most HN readers just
| finds this hillarious, but still people read HN since it has a
| good standard. Saying that a 0 day exploit is a good thing goes
| against this needless to say.
|
| Especially since they've faced serious accusations earlier on.
| dylan604 wrote:
| >Only a PR person would dream of saying that a 0 day exploit
| is a good thing
|
| Depends on your perspective. a 0-day is a very good thing if
| you are an advesary trying to get in. so maybe to the
| alphabet soup of groups CCP, FBI, NSA, etc, woohoo!!!
| toomanyducks wrote:
| Well, as is previously mentioned, it's not _quite_ a 0-day,
| and finding it and responsibly disclosing it is a very good
| thing *compared to alternatives*. I do agree, though, that
| the tone is needlessly confusing, and it feels like PR over
| clarity.
| brundolf wrote:
| It's very clearly sarcasm and not a serious PR move, though I
| agree it makes the article confusing and hard to follow.
| Changing it to a different source link seems appropriate.
| rijoja wrote:
| I don't really think a communication from Malwarebytes is
| the place for sarcastic comments. Lets say if you are
| working with a US government this could have enormous
| implications. I've talked to a lot of clients who ditched
| Zoom for Microsoft Teams due to their earlier mistakes.
|
| Also I find it funny that the heading "Not patched yet" is
| solved by the headline "Security done right".
|
| Lets say if you are working with a company that deals with
| say healthcare information a 0-day certainly doesn't make
| things safer and since it is not patched yet this is
| definitely not done right.
| gowld wrote:
| Teams is exploitable too.
| vulcan01 wrote:
| No one ever got fired for choosing Microsoft.
| okamiueru wrote:
| How can it be very clearly something, and at the same time
| confusing and hard to follow?
| gowld wrote:
| What's clear to A can be confusing to B. Sarcasm or
| satire is a common example.
| brundolf wrote:
| It's clear that it's not serious, but once you get the
| joke you then have to mentally transform every statement
| as you go along in order to get the base facts. That
| hurts clarity.
| charcircuit wrote:
| Having critical zero days being reported is always a good
| thing.
| HenryBemis wrote:
| But I thought we call them "zero day" when they are already
| being abused. I didn't get from the article that this
| vulnerability has been discovered and abused by the
| baddies.
|
| Thus it is NOT a "zero day" but a "critical vulnerability".
|
| Sod the clickbait-y titles!
| JaggedJax wrote:
| Right, isn't this not a Zero Day specifically because it's not
| known to be exploited out in the wild. How can it be, no one
| else knows what the vuln is. It is being reported as part of a
| bug bounty with 90 day disclosure just like anything else would
| be.
| tptacek wrote:
| The term "zero day" has nothing to do with in-the-wild
| exploit observation.
| nixpulvis wrote:
| I always get confused reading/talking about the definition of
| a zero-day with people... But this is what Wikipedia states,
| which is most consistent with my understanding.
|
| > A zero-day (also known as 0-day) is a computer-software
| vulnerability unknown to those who should be interested in
| its mitigation (including the vendor of the target software).
| Until the vulnerability is mitigated, hackers can exploit it
| to adversely affect programs, data, additional computers or a
| network.
|
| Seems like _someone_ knows how to exploit this, and zoom /
| the general public don't know how to mitigate or perform it.
| That seems to fit this definition, no?
| charcircuit wrote:
| A zero day just means that the vulnerability hasn't been
| patched.
| javierbyte wrote:
| Agree, but instead of "that would have put" it should be "that
| could be putting", we don't know if there are people currently
| exploiting the vulnerability and without a patch very well
| could be happening now.
| interestica wrote:
| I really wish there was a changelog for headlines. Too often I
| see a critique like this and I have to figure out if the
| comment is referring to the current headline or a previous
| version. And, if the headline has already unknowingly been
| 'corrected', it leaves me wasting time trying to figure it out
| within that framing.
|
| And it shouldn't be the responsibility of the poster
| necessarily to quote it -- because there's no verifiability
| there.
| swsieber wrote:
| > And it shouldn't be the responsibility of the poster
| necessarily to quote it -- because there's no verifiability
| there.
|
| Although there's no verifiability there, I would assume that
| most people on here comment in good faith.
| vngzs wrote:
| The original title was the article title:
|
| Zoom zero-day discovery makes calls safer, hackers $200,000
| richer
| mssundaram wrote:
| HackerNews is pretty opaque with its moderation
| chrononaut wrote:
| Exactly. It would be nice if there was a little arrow (or
| other icon) next to the title of an article that simply
| showed the previous titles that article used -- much like
| previous gaming handles on Steam profiles; Simple yet
| effective.
| busymom0 wrote:
| If I remember right, Tesla and a few other companies banned Zoom.
| But many governments still use it. How is that okay?
| PostThisTooFast wrote:
| "zero-day?"
| jtdev wrote:
| It sounds like a great deal for Zoom... Zoom would have paid far
| more for this research in any other scenario.
|
| The InfoSec community seems to be quite happy giving away their
| hard work, while the large security vendors make mountains of
| cash on snake oil solutions to enterprises. For context, Zoom
| certainly paid many multiples of $200k during any given month for
| firewall licensing.
| kristjansson wrote:
| OTOH, security researchers do inflate the value of any given
| exploit (chain) vs. broad mitigations.
|
| Still, 200k seems _low_ for a bug that should imperil the
| reputation of a many-billion dollar company. And a few years
| ago it seems like that would have been $1000 and a firm
| handshake...
| bezoz wrote:
| The positive "tilt" in this article is honestly amusing and
| unusual for such articles
|
| "zero-day discovery makes calls safer" "Understandably, Zoom has
| not yet had the time to issue a patch for the vulnerability"
| "This event, and the procedures and protocols that surround it,
| demonstrate very nicely how white-hat hackers work"
|
| Imagine if that was your run of the mill well-hated big corp
|
| "Yet another security vulnerability leaves millions at risk" "XYZ
| Corp shows its incompetence once again exposing users' private
| data to hackers" etc etc
|
| No specific point here. I am just amused!
| ajross wrote:
| I don't think that's fair. The Pwn2Own contest rules
| specifically disallow disclosure. This isn't a "zero day" in
| any sense but marketing. It's a privately disclosed
| vulnerability under a managed embargo, just as if it had been
| reported by Project Zero or whoever.
|
| The ding is that, because it was a "public contest", the
| _existence_ of the vulnerability is known. And that 's probably
| a higher risk scenario in the abstract I guess. But I think
| it's clear to all that Pwn2Own and similar activities are a net
| benefit to global software security nonetheless.
| grayhatter wrote:
| finally, someone who uses 0day more correct than nearly every
| else. My remaining sanity thanks you!
| teawrecks wrote:
| I'm not seeing how your point relates to bezoz's point...
| whatgoodisaroad wrote:
| Maybe the zero-day isn't disclosed from this pwn2own itself,
| but importantly, we now know it exists, which means we should
| consider how many bad actors are already independently aware
| of it and are exploiting it.
|
| Responsibe disclosure processes are just as much about
| closing the vectors that we can't prove are under active
| exploit.
| temp667 wrote:
| the Pwn2Own exploits have generally not already been out
| there. There have been a long history of these, including
| some incredible chrome exploits! So the disclosure process
| tends to work out OK.
| whatgoodisaroad wrote:
| I think that's right that pwn2own exploits are generally
| new to the public, but that only means it's not provably
| out there.
|
| Just to be clear, I think programs like this are great
| and they do improve safety, but only because they result
| in patches. This news shouldn't make users feel safe
| _until_ there is a patch.
| dmix wrote:
| Agreed, just because it exists doesn't mean it was being
| exploited.
|
| And these help patch not just the specific hole but the
| general approach of the exploit chain may expose a whole
| area the development team had not previously considered.
| jms703 wrote:
| This. The article should have been less about 0days and more
| about supporting contests and programs that vulnerability
| researchers.
| coverband wrote:
| It's actually worded in quite that way (even though it'll
| be picked up by larger media differently).
| II2II wrote:
| > Imagine if that was your run of the mill well-hated big corp
|
| I don't know what the general perception of Zoom is. Our
| opinions of it never really come up at work. The discussion I
| see of it online largely focuses upon the security issues so
| that is going to be negative. There is one thing I am grateful
| for though: it seems as though the masses settled on a product
| with decent cross-platform support _for once_. You rarely see
| that unless the product is intended for a niche market (e.g.
| science, engineering, software development). Heck, they even
| package it for Arch.
| kiwijamo wrote:
| Indeed. It is really nice to be able to participate in group
| and conference calls from Linux without having to reboot into
| windows or macos. Also performs well in all the platforms
| I've used it in which is not something I can say for teams
| and Google meets.
| c7DJTLrn wrote:
| Chernobyl nuclear power plant explodes and paves way for safer
| reactor design!*
|
| *citizens not yet evacuated from radiation zone
| pydry wrote:
| >Imagine if that was your run of the mill well-hated big corp
|
| Microsoft seems to be the one banging the "zoom is insecure"
| drum hardest and teams had, like, 4 zero days and paid < 30K
| for them IIRC.
| Moodles wrote:
| ... including an RCE in the very same competition
| https://www.bleepingcomputer.com/news/security/microsofts-
| wi...
| vxNsr wrote:
| This is a PR piece. People do hate zoom, this is zoom trying to
| rehabilitate their image through their security partner.
| FreshFries wrote:
| People hate zoom? Like "Teams is so much better" or "online
| meeting are bad"?
|
| For me it one of the more enjoyable online meeting options
| and it leaves Teams, Skype, webex and what have you, far
| behind.
| Throwaway234285 wrote:
| Like "Zoom is an unethical company".
|
| See: Privacy concerns, lying about encryption, connections
| to china, bad security.
| kyawzazaw wrote:
| a lot of college students do not worry about this
| cstejerean wrote:
| That might be "people on HN hate zoom".
| Throwaway234285 wrote:
| Fair point.
|
| Possibly "people on HN hate zoom, and then use it anyways
| because it's forced."
| rijoja wrote:
| Or how about people on HN are educated about zoom and
| therefore hate it.
| dylan604 wrote:
| That doesn't make them wrong though
| Throwaway234285 wrote:
| It doesn't, but it's worth noting that the general
| populace doesn't feel that way.
| vxNsr wrote:
| I work for a large MSP, one of our partners announced
| recently that effective basically immediately they are no
| longer supporting any zoom integrations due to the China
| connection.
| hashkb wrote:
| Because they don't realize how bad Zoom's bad acts could
| be for them. People didn't feel that cigarettes were bad
| for them. People don't feel like McDonald's is bad for
| them.
| chociej wrote:
| Never used Teams. Skype, which I last used years ago, was
| certainly better as far as downloadable chat clients go.
| Google Meet runs circles around Zoom, and I don't have to
| install anything.
| Taylor_OD wrote:
| Its possible to hate zoom without liking one of the
| alternatives. I know a lot of people hate zoom because they
| associate it without meeting burning due to this year and
| security issues.
| hashkb wrote:
| Using Zoom on Linux is a fun way to get everything to crash;
| and may as well flip a coin to see if I'll get connected /
| anyone will be able to hear me.
|
| Google Meet, Slack calls, literally everything else works
| perfectly. With screenshare. On Wayland. I just call in to
| Zooms now.
| LoneWolf wrote:
| This so much, also eats way too much CPU, and has no support
| for background blur, just a damn basic chroma.
| toomanyducks wrote:
| I use Zoom fairly regularly, and haven't had *too* many
| issues. (Debian, x11, the app, though the browser version is
| fairly terrible)
| TwoBit wrote:
| I've read that AV is a dumpster fire on Linux and you're
| lucky if anything runs and Linux has never solved it and no
| resolution in sight.
| not2b wrote:
| My wife has been doing a ton of Zoom on an Ubuntu system on a
| Dell laptop, using their native app. She hasn't had problems.
|
| Clearly your experience differs, not sure why.
|
| Of the proprietary video meeting apps, they all have
| problems, but Zoom sucks less than Teams, Webex, or Skype and
| is a lot easier for non-technical folks to use.
| kiwijamo wrote:
| I'm in the same boat. I use Zoom frequently on Linux and
| it's performance is quite acceptable. I use Zoom
| successfully on other platforms as well. It compares well
| to altneratives such as Google Meets which in my experience
| starts to fall apart past a certain number of participants
| on a call. Quite interesting to see the variance of
| experiences as it doesn't match what I've observed
| personally as well as comments I've heard from colleagues
| who have tried various systems. I hear lots of praise for
| Zoom and Teams but Meets is either loved or hated.
| [deleted]
| lostgame wrote:
| >> Imagine if that was your run of the mill well-hated big corp
|
| Zoom is one of my, and several of my coder friends', top-five
| well-hated big corps.
|
| This far into the pandemic, I take personal pride that I hadn't
| installed what for a while was essentially reported as Chinese
| spyware on my machines. :)
| chapium wrote:
| To be fair, Zoom is universally well-hated at this point, at
| least by anyone with an interest in security.
| anoncake wrote:
| Zoom is pretty well-liked by those who would be stuck with
| Teams otherwise.
| Moodles wrote:
| Which was also hacked in pwn2own but that's not a big story
| for some reason
| https://www.bleepingcomputer.com/news/security/microsofts-
| wi...
| dylan604 wrote:
| Wait, are you saying Zoom isn't hated? It's crap. I refuse to
| install its PoS app and all of the security holes it came with
| (don't care if they are fixed or not). Launching a zoom meeting
| in my browser totally bogs the browser down. The zoom site is
| so slow that proving I'm a human is at least 10x slower than on
| other sites. In my use case, nobody on the zoom call is even
| using video, yet it still runs this badly.
| rijoja wrote:
| Didn't they route calls through China for no apparent reason
| as well?
| titzer wrote:
| Not without improving the speed of light.
| chociej wrote:
| Same. The whole interface is god awful. And it almost always
| dishonors my OS audio input/output preferences by default.
| The web client always downgrades my camera resolution for
| some reason, and messes up its aspect ratio. Plus the
| security problems.
| PufPufPuf wrote:
| Zoom has a history of nasty security issues, does shady
| business with China and bought and killed Keybase. It's a
| shitty company not even considering their software.
| 13415 wrote:
| Which goes to tell you how good their software is. It is
| better than anything other companies have to offer for
| video conference calls with many participants and screen
| sharing, which is why our university is using it after we
| had evaluated all competitors last year in April.
| codefreakxff wrote:
| We run zoom calls with over 200 participants and no problems.
| It sounds like their browser experience is poor, I don't know
| if that's a browser limitation or bad design, but their app
| on Windows and Mac performs quite well.
|
| Mistakes were made with security early in their product. It's
| clear that has turned a lot of potential users against them.
|
| I'm curious why companies like Facebook get more acceptance
| over terrible security, but other companies are never
| forgiven
| smoldesu wrote:
| It also has an unexpectedly great Linux app, IMO.
| chociej wrote:
| Having to download and use an executable at all is
| ridiculous and half the reason they have so many security
| problems.
| Sn0wCoder wrote:
| I also like zoom over the alternatives. Does it have
| problems, yes but what software doesn't. I have been using
| zoom for years (my school switched early) compared to
| previous tools it just worked and worked well. Yes I know
| they lied and deceived but again marketing is always full
| of BS and guess who makes the blurbs we read on the
| internet about a company. Again the constantly changing UI
| is annoying but what is better? If someone has something
| better that even my grandma can use I will give it a shot.
| dylan604 wrote:
| There's a difference between software having problems,
| and the problems that zoom had/has. The fiasco of
| creating a method to run any command with escalated sudo
| privelages just because they wanted to make the install
| easier that remains after install was absolutely mind
| blowing. Those kinds of things are unforgivable.
| IHLayman wrote:
| If browser performance is bad but app performance is good
| (and I agree that my experience with the app is actually
| pretty good), then it is a bad sign that the exploit is in
| the app, and not the browser version.
| dylan604 wrote:
| >Mac performs quite well.
|
| This is not my experience at all. Early in the lockdown
| when Zoom became the darling, I was forced to install their
| app. Pre-pandemic, Zoom was already panned on this site for
| crap they were doing, so I pushed back hard against using
| Zoom before ultimately relenting. Running zoom with a
| simple 3 person call would bog down my 2017 MBP with fans
| running full tilt. I've since upgraded hardware and zoom is
| not allowed to be installed on this computer.
|
| >I'm curious why companies like Facebook get more
| acceptance
|
| Is there anyone on this site that agrees with that comment?
| I certainly don't. There are multiple billions of FB users,
| so I'm quite sure the readers of HN is just a mere rounding
| error level of numbers.
| agloeregrets wrote:
| Hard agree. Mac resource use of Zoom is insane. The only
| machine I've used that feels not bogged way down and
| blowing it's fans like crazy is my M1 mac and even then
| it's showing > 50% cpu use. When demoing our app in a
| screen share on my old iMac 4K the machine would be
| screaming it's fans and much much slower than normal.
| Meanwhile Messages screen sharing used less than 10% CPU.
| IDK what they are doing but it's not right at all.
| kiwijamo wrote:
| I've been involved with zoom sessions of up to 50
| connections and it has exceptionally flawless on my work
| macOS laptop from approx 2017. Compared to every other
| video conference software I've tried, zoom is
| unfortunately by far the best on macos, Windows and even
| Linux for video conferencing with large number of
| participants. I am baffled as to why it performs so
| poorly--this is not my observation on the machine I have
| and I also know it works well with on many of my
| colleagues Macs so it is not just the one Mac I use.
| Nuzzerino wrote:
| In my case, Zoom will cause my Mac to heat up quite a lot
| on each call, using the app.
| dheera wrote:
| Also the UI sucks. It doesn't blend nicely with my system.
| It looks like a sore thumb Windows 3.0 app or quack-age
| MacOS app in the midst of a futuristic OS.
| agloeregrets wrote:
| Yes! Like there's a required two clicks to leave a call,
| you can't trust if it will start video on or off, the
| menu bar hides by default! The UX is horrible.
| dylan604 wrote:
| The 2-click to leave is aweful. Sure, accidental leaving
| can be annoying. How about don't put the button near
| anything else that might need clicking so that it's much
| less likely to be accidentally clicked.
| jimmont wrote:
| Agree and have a similar experience so I use Jitsi
| https://jitsi.org/ instead and recommend it. If clients
| insist I simply ask they enable joining from a web client,
| otherwise unable to join. Jitsi works well and find it odd
| how remarkable mindsets become locked into options regardless
| of the accessibility and benefit of alternatives (great
| material for comedy, psychosocial study, etc). From React to
| iOS default apps to Zoom, it's an odd disadvantage of our
| human condition.
| elric wrote:
| The browser experience is pretty decent IMO. And unlike, say,
| MS Teams, at least it works on all platforms with a
| reasonably modern browser.
| dTal wrote:
| I was shocked to find that on Windows, Teams refuses to run
| in any browser except Edge. On Linux, it runs quite happily
| under Chromium. It's the worst sort of anti-competitive
| behavior, in my view.
| puetzk wrote:
| I use it in Firefox regularly, and just checked and it
| runs in chrome too. Weird...
| mynameisvlad wrote:
| https://docs.microsoft.com/en-us/microsoftteams/get-
| clients#...
|
| IE11 (ew), old Edge (ew), Chromium Edge and Chrome are
| fully supported. Newest Safari has limited support, and
| only Firefox and older Safari versions are the only ones
| explicitly not supported.
| mtmail wrote:
| ZDNet's headline is "Critical Zoom vulnerability triggers
| remote code execution without user input"
| rijoja wrote:
| Which is more akin to what a person who actually knows what a
| 0-day exploit is would phrase it.
| AlexCoventry wrote:
| I use the zoom web client, when I have to use zoom. It has fewer
| features, but I'm more comfortable running badly written software
| in an environment designed for hostile code.
|
| Just change the /j/ in the url to /wc/, and insert /join after
| the meeting id.
|
| https://devforum.zoom.us/t/launch-zoom-client-from-browser-w...
| jacobolus wrote:
| The zoom web client has extremely buggy audio support. It
| regularly breaks in all of the browsers on my computer, and I
| end up listening to meetings only able to contribute via the
| text chat.
| linuxftw wrote:
| I've had this as well. I just refresh as soon as the audio
| and video comes up, and this seems to keep it stable for the
| remainder of the session. Otherwise, there's like a 60% I
| lose the ability to do anything.
| AlexCoventry wrote:
| Ah, I didn't know that. I always phone in, and only use the
| computer audio as a failover.
| [deleted]
| neolog wrote:
| Try stracing the desktop client.
| throwaway888abc wrote:
| handy, thanks
| fouuler wrote:
| Naive question. I'm forced to use Zoom by my University, so I run
| it from a dedicated user (on Linux). That's fairly safe, right?
| capableweb wrote:
| "Safe" in security is always relative. Safe from a military
| hacking attack? Probably never. Safe from random scriptkiddies?
| Yeah, probably even if you don't run Zoom with a separate user,
| as long as you got the rest of your shit together. Safe from
| people buying/using 0days? Seems so, since this issue was never
| actually disclosed (yet) so it's not really a 0day, so it'll be
| harder to for people to exploit.
|
| You'd need to understand who/what are your threats to
| understand if you're "safe" or not.
| fouuler wrote:
| What I mean is: am I safe from those who have a Zoom 0day, if
| Zoom is running on a separate user; assuming they do not also
| have a Linux 0day.
| thinkharderdev wrote:
| Depends on a lot of things. If the 0day is an RCE they
| would need another privilege escalation exploit. How easy
| that would be depends a lot on how your system is setup.
|
| But the short answer is probably not. Unless you are
| running Qubes or something, if someone can exploit an RCE
| then they can probably own your system.
| fouuler wrote:
| I'd be really interested in a longer answer. I'm running
| Void Linux. What would exactly would Qubes add in this
| respect?
| cyberlab wrote:
| This reminds me of the Skype 'vuln' where you could see weird
| VPS/colocation servers scooping up links when you send them via
| their chat feature. /Nobody/ except the recipient and you should
| be visiting that link, yet it's still an issue. At first I
| thought it just wanted to generate a 'link preview' but it's more
| sinister than that. Some random surveillant is looking at every
| link.
| walrus01 wrote:
| How long ago was this going on?
| faraaz98 wrote:
| >The fact that the researchers came out on the second day of the
| Pwn2Own event with this vulnerability does not mean they figured
| it out in those two days. They will have put in months of
| research to find the different flaws and combine them into an RCE
| attack.
|
| I really appreciate the article author mentioning this. It gives
| hope to all beginners and shows that "overnight success" is a
| result of months and years of learning and research
| hankchinaski wrote:
| "safer" until the next zero-day is uncovered
___________________________________________________________________
(page generated 2021-04-09 23:00 UTC)