Zoom Security: Devs Announce Feature Freeze and Enhanced Bug Bounty Program

Video conferencing firm steps up its game to cope with skyrocketing growth and multiple bugs.
Zoom has fixed a variety of security issues and implemented a 90-day feature freeze in order to focus on privacy and security.

In a blog post on Wednesday (April 1), Zoom’s chief executive Eric Yuan explained what the firm is doing to address recent security and privacy concerns that have accompanied the meteoric rise in use of the platform that has come in response to the coronavirus pandemic.

Zoom said it’s seen daily meeting participants increase from around 10 million in December to more than 200 million last month.

Across many markets, the app is well on its way to becoming a household verb, like Hoover before it, the chagrin of trademark protection lawyers notwithstanding.

This increase in use has made Zoom a honeypot for security researchers, who have uncovered a number of security problems, as well as a renewed focus for privacy-related criticisms, as previously reported.

In response, Zoom has quickly triaged recently discovered bugs while enacting a 90-day feature freeze in order to allow it to focus on safety and privacy issues.

The developers’ to-do list is likely to be extensive, judging from the evidence of recent days.

Emergency bug fixes

Mac security guru Patrick Wardle went public earlier this week with two macOS flaws in Zoom that could allow local, unprivileged attackers to gain root privileges or a means to inject malicious code to access victims’ mic and camera.

Neither of the flaws lent themselves to remote execution, so they would more accurately be described as ‘important’ rather than ‘critical’.

In any case, Zoom moved quickly to patch both macOS bugs. This was a huge contrast to its delayed response to a much more serious remotely exploitable bug last year that created a means to keel-haul macOS users into a Zoom call, with their video camera activated.

Zoom’s security response, a source of criticism in the past, seems to be improving.

The video conference and remote meeting technology provider has also addressed a Uniform Naming Convention (UNC) network path issue that might be abused to enable exploits that rely on social engineering.

A UNC path rendering bug in Zoom’s Windows client disabled prompts that would normally appear before code is run, creating a means for miscreants to push malicious code, providing they are able to trick marks into clicking on a link.

In addition, Zoom has removed the LinkedIn Sales Navigator after identifying “unnecessary data disclosure by the feature” as well as exorcising its controversial attendee attention tracker feature.

The changes follow up last week’s removal of the Facebook SDK in Zoom’s iOS client – a technology that was sending data to Facebook even for smartphone users of the video conferencing app who didn’t have an account with the social network – and the publication of an updated privacy policy.

School’s out

Zoom was built as a video conferencing platform for enterprises so the widespread use of the technology by schools, to offer remote classes, and consumers was something it hadn’t prepared for.

Yuan apologised for “falling short of the community’s – and our own – privacy and security expectations” in what it offered.

In order to improve the security and privacy of its technology, Zoom has set up a number of strategic changes, including a revamped bug bounty program.

As part of its ongoing security audits, the company said it would be running a series of “simultaneous white box penetration tests to further identify and address issues” and “preparing a transparency report that details information related to requests for data, records, or content”.

In addition, the video conferencing technology firm has launched a CISO council to facilitate ongoing dialog regarding security and privacy best practices.

Independent experts have welcomed Zoom’s response. How well the company follows through on its commitments will undoubtedly be closely monitored.

“The steps that the company have taken so far to address the immediate issues of harm and abuse are welcome and one has to feel some sympathy for an organisation that was one of the first to offer free services during the pandemic,” said Rik Ferguson, vice president of security research at Trend Micro, in a post on Twitter.

“As a result, Zoom found itself not just a victim of poor decision making but also a victim of its own success. With great deployment comes great scrutiny, from abusers, criminals and security and privacy researchers. At heart though, Zoom are now doing The Right Thing,” he concluded.

Are you watching closely?

One of the most high-profile types of abuse is so-called ‘Zoombombing’, where mischief-makers or worse unexpectedly inject themselves into conference calls before sending pornography, racist material, or otherwise trolling genuine meeting participants.

Earlier this week, the FBI’s Boston field office warned it had “received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language”.

The FBI’s alert goes on to give advice on how to lock down video conferencing meetings to guard against such trolling.

The Fed’s advice essentially summarizes a recently published guide from Zoom on how to guard against such trolling.

Zoom’s blog post covers protective features such as passwords, muting controls, and the limiting of screen sharing to guard against harassment.

This post was originally published by The Daily Swig on portswigger.net

Related posts