Google Project Zero researcher finds two critical vulnerabilities in ZOOM

Natalie Silvanovich, a researcher at Google Project Zero, reported the detection of two vulnerabilities in the Zoom video conferencing platform whose exploitation would allow threat actors to compromise the deployments of thousands of customers. Silvanovich’s findings were tested by exploiting a recently revealed zero-click attack.

The reported failures were described as a buffer overflow issue affecting Zoom clients and Zoom multimedia routers (MMR), and a central information leakage error for MMR servers.

The report also details the absence of Adress Space Layout Randomization (ASLR), a mechanism against memory corruption attacks: “This should be the most important security method to prevent certain types of attack; there are not enough reasons for it to be disabled,” adds the researcher.

About MMR, Silvanovich mentions that as these servers process video conferencing content, errors become more worrisome, with even the risk of cyberespionage. The specialist did not complete the attack chain, but suspects that a threat actor could do so with enough time.

The flaws were reported to Zoom at the end of 2021 and have already been corrected, plus ASLR has been enabled by default. The discovery of these flaws was possible thanks to the fact that the videoconferencing platform allows customers to configure their own servers; however, fixing these flaws can be tricky because Zoom doesn’t have open source components.

For Silvanovich, these access restrictions limit the amount of research and findings related to Zoom: “Closed-source software presents peculiar cybersecurity challenges; Zoom should be more accessible to researchers and experts in ethical hacking,” concludes the researcher.

In November, Zoom rolled out automatic updates for the software’s desktop clients on Windows and macOS, as well as mobile devices. This feature was previously only available to business users, so users are encouraged to stay on top of new ads.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.