The video conference platform Zoom has disclosed four new software vulnerabilities that expose users to cyber attacks.
Cyber security researchers found that the vulnerabilities can be used to compromise users over the platform’s chat function. This is possible if criminal hackers send a specially crafted XMPP (Extensible Messaging and Presence Protocol) message and executing malicious code.
If the specific message is sent, an attacker could trigger clients into connecting to a man-in-the-middle server that presented a version of the Zoom client from 2019.
According to Google Project Zero security researcher Ivan Fratric, who discovered the vulnerabilities: “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.”
Zoom back in the headlines
When COVID-19 took over our lives in early 2020, it was accompanied by the unstoppable force of Zoom. The video conferencing software was suddenly everywhere, being used to host work meetings, family gatherings and inevitable trivia nights.
The platform soon faced a public backlash regarding its poor security practices. It was accused of selling people’s personal data, invading people’s privacy with an “attendee tracking” feature, and failing to address countless vulnerabilities that could be exploited by cyber criminals.
Perhaps most famously, Zoom’s software contained weaknesses that resulted in “zoombombing” – a practice where uninvited guests entered private meetings to harass participants and snoop into people’s homes.
Our collective fascination with Zoom waned when lockdown restrictions were eased across the country and people were once again allowed to see each other face-to-face.
But the software is still widely used for its original purpose – hosting business meetings – with many organizations continuing to offer remote work options.
Zoom users have been repeatedly warned of its numerous security flaws, so adding one more to the mix is unlikely to shock many people.
It’s not as though these latest discoveries are a rare discovery. Zoom has discovered five other vulnerabilities this year alone – but that’s to be expected for an organization of its size.
Vulnerabilities are inevitable. You only need to look at Patch Tuesday for evidence. It’s the term used to refer to monthly updates offered by Microsoft, Adobe, Oracle, and other software providers, with those patches often addressing security weaknesses.
Regular patches are so ingrained in the way organizations operate that they can be expected like clockwork. It doesn’t mean those platforms are liabilities; if anything, it means the opposite.
Emphasizing data privacy
Following the dramatic rise to fame and subsequent criticism of Zoom, the platform has displayed a greater emphasis on information security and privacy.
Meanwhile, Bloomberg’s Tae Kim argues that Zoom was a victim of its own success.
“Much of its problems stem from the unintended consequences of when demand explodes in unexpected ways,” Tae wrote. “Originally founded in 2011 for corporate clients, Zoom’s software is now being used in situations it was never designed for.”
Over the past two years, Zoom has implemented several controls to improve its security posture, such as end-to-end encryption, password-protecting meetings by default and adding a waiting room feature to prevent unauthorized guests from entering the call.
The disclosure of these latest vulnerabilities is another sign that Zoom has taken positive steps in emphasizing cyber security.
Zoom was made aware of the flaws in February and patched its server-side issues the same month.
The vulnerabilities were fixed in a software update released on April 24, giving users several weeks to correct their systems before the issue was made public.
If you haven’t yet updated to the latest version of Zoom, you must do so immediately. Once the vulnerability – and the nature of the update – is public knowledge, it alerts cyber criminals to the threat.
They will then look for devices where the vulnerability is still present and attempt to exploit it.
The practice of applying updates swiftly is an essential part of your organization’s success. With dozens, if not hundreds, of pieces of software to manage, you will have countless updates to deal with on a regular basis.
To ensure that all essential updates are applied, you must have a patch management programme.
An ideal way to manage that process is with Cyber Essentials. It’s a framework that contains of five controls that organizations can implement to achieve a baseline of cybersecurity, against which they can achieve certification in order to prove their compliance.
Certification to the scheme provides numerous benefits, including reduced insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to the scheme is a prerequisite.
Patch management is a key requirement of the Cyber Essentials scheme and will help you confirm that devices and software are not vulnerable to known security issues for which fixes are available.