Wednesday, April 1, 2020

Zoom is being blamed for a Windows bug.

Journalist often paint outside of the lines looking for a punchy story.

Zoom this week is being targeted by what almost looks like a coordinated smear campaign with an overwhelming amount of bad press with regards to exposed credentials.

As a security veteran I do clearly get upset when security stories are blown way out of proportion.

Especially when it appears that someone is trying to manipulate the public opinion and bash a specific product.  Even more so, when the issue is actually a Windows OS issue.

Journalists are irresponsibly claiming that using zoom sends off you username and passwords and allows attackers to connect to your computer.


First off, this issue only manifests itself if someone in your meeting sends you a link to click via a chat session and you click on it.

Secondly, your username and password is not just sent out in clear, it is still hashed (protected with some cryptography).  So this applies to you if your password sucks and not if you use a good quality and length password.

Thirdly, inbound connections are blocked by your home router/firewall and your enterprise firewalls. This means an attacker can't just reconnect to your computer.  And remember number 1, the attacker would be someone you invited into your meeting.

So if your meetings have passwords and you don't just let everybody in, how would the attacker even know your meeting is happening and get in there......

Also, simple fix.... turn off the chat function in your meetings until this gets fixed.

Wow... simply fix eh!  The sky is not falling after all.

Second thing of high importance as pointed out by a colleague.  Don't click on Zoom links that come into your email unless you are expecting it.  

Another attack vector currently in play is that a malicious link sent to you, could open your zoom client and trigger this vulnerability.  So the old rule still stands, don't click on links that you don't trust.  If you are expecting a meeting invite, all good.

Some technical changes can be made to your Windows workstation so that it no longer sends off NTLM outbound, and this would be the ideal scenario, however, not everyone is technically tooled to do this.

What would be ideal is if Microsoft would patch this and change the default forcing Windows to NOT send out NTLM to the Internet.

keep in mind that if your password is of good quality (a long and complex password), this vulnerability fails since the attacker cannot break your password.

So lets all calm the hell down.  Yes you can keep using Zoom.  This risk is LOW.

Until these articles, I had not created a Zoom account.  Well, I just did, and I actually really like the thing.  It allows me to change my background to a beach, and with all the self isolation we are going through during this Covid crisis....  I think I really like that option.

In closing, Zoom has had numerous security shortcomings in the last months and years.  They certainly do not appear to be perfect in any sense.  Lets just keep the over exaggeration of security findings down to a minimum. 

There currently is a significant increase in malicious meeting invites and the bad guys are targeting the most common tools like Zoom.  

So this means that we will see breaches attributed when all these factors are combined.  

Keep in mind that some of these tools (like Zoom) are free, and that means that you are the product in some way.


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

----- ENGLISH FOLLOWS Un cas intéressant d'exposition de données à l'UDA. Le site web comprenait une seule ligne de texte qui pouvai...