Two Zero-Day bugs on Zoom nearly exploited to leak data and crash service.
Key Takeaways:
- Zero-click attacks on Zoom nearly led to two crucial security vulnerabilities that could have resulted in data leakages and service-wide crashes.
- The weaknesses in Zoom’s software included the lack of a NULL check and their failure to enable ASLR.
- If exploited, the weaknesses would particularly damage clients and Multimedia Router (MMR) servers, which are responsible for the transmission of audio and video on the globally popular conferencing platform.
- Zoom falls short on security research because of its proprietary software and high-licensing fees. In addition, Zoom does little to make their software accessible to security researchers and others who could strengthen their platform.
Why it Matters:
- While cyberattacks typically result from clicking on a link or accidentally granting a hacker access to one’s device, zero-click attacks are intended to infiltrate the victim’s device without any interaction from the user. Attacks of this nature are especially difficult to trace because they are designed to leave no evidence of any malicious activity.
- By staying informed with an annual assessment, BW Cyber can ensure that your company’s software and platforms are secure and prepared for malicious attacks.
Resources:
- Source: https://thehackernews.com/2022/01/google-details-two-zero-day-bugs.html
- BW’s Enterprise / Customer Training & Phishing: https://www.bwcyberservices.com/services/training-phishing/
- BW’s Penetration Testing: https://www.bwcyberservices.com/services/penetration-testing/
- BW’s Annual Cybersecurity Assessment: https://www.bwcyberservices.com/annual-cybersecurity-assessment/
