The hits just keep on coming for Zoom teleconferencing this year as a new critical vulnerability was disclosed late last week. This is, of course, in addition to the other two critical vulnerabilities that were disclosed last month, as well as the privacy issues raised earlier this year involving uninvited guests joining random Zoom meetings. Sadly, this vulnerability comes at a time when more people are relying on remote teleconferencing software than ever before to continue business operations.
The new vulnerability was discovered by cybersecurity firm ACROS, and if exploited, it can provide remote code execution to the attacker. This would allow them to run their own malicious code, potentially leading to a full system compromise. That said, for Zoom customers, there are a couple of dependencies for the exploit to work that may be a saving grace. First, this only works in Windows 7 or older operating systems. Windows 7 has been at the end of life since mid-January, however, a lot of enterprises out there still have machines that haven't been upgraded. I still see Windows XP machines floating around, so an operating system that is only 7 months out of support is sure to have a substantial install base. The other potential saving grace is that it does require some (not much) interaction from the intended victim. This vulnerability is exploited when a user performs a fairly standard action like opening a file. The exploit does not trigger any kind of warning, however (think Microsoft Word displaying a warning about a macro-enabled document) it just runs in the background while the user remains none the wiser. The malicious code, then run by the attacker, will assume the rights of the user that was running Zoom. This is why it's never a good idea to grant users local administrator access (unless absolutely necessary) as this effectively leads to total system takeover. If you are a restricted/standard user, the attacker would then need to make the extra effort to elevate those privileges before gaining system-level access.
How do you protect against this vulnerability? This vulnerability is a perfect example of where security in layers shines:
First off vulnerability management and secure configuration. If you have Windows 7 machines in production, you'll want to pay Microsoft for extended support and move off of that platform as quickly as possible and onto Windows 10. Not only will doing so protect you from this vulnerability but also the numerous unpatched vulnerabilities that are sure to come for the Windows 7 OS now that it is at the end of life.
Strong security policy around administrative rights (principle of least privilege) should draw the line in the sand ensuring that only those users who require administrative access to do their jobs will be granted it. In addition, the administrative account should be separate and only used to perform actions where it's required and a standard (non-privileged) account should be used for everything else. Having this in place will limit access to the attacker preventing them from gaining system-level access should they be successful exploiting this vulnerability.
Additionally, a weakness I see frequently in organizations is third-party patch management. Does your organization have a way to maintain third-party software like Zoom, Adobe PDF, Java, etc…? Many organizations have strong vulnerability management programs for Operating Systems but fall short when it comes to 3rd party applications. It's impossible to patch what you don't know about; do you have an accurate and up to date software asset inventory (CIS Control #2) to ensure that you're not missing anything?
What about cybersecurity awareness training? For this exploit to work the user has to do something like open a document. Do you have confidence that your users won't open that document sent from an unknown source, and additionally, that they will report it to your security operations center? Will a notice or warning about this new attack vector make it to your end-users through a security bulletin or some others means as part of your security awareness program?
Security in layers is one of those concepts that has been around since the dawn of the cybersecurity discipline, however, like a lot of those security hygiene themes, it works, and it works for vulnerabilities old and new.
Zoom has released a patch for this vulnerability starting in version 5.1.3. If you're a home user, I highly recommend enabling the auto-update feature in Zoom (if it's not enabled already) so that you receive security patches as quickly as possible. If you are an enterprise customer, I would recommend that you push the patch for Zoom through your patch management system ASAP.
Written by Zach Turpen
Zach Turpen is a Cybersecurity Expert at TechGuard Security where he conducts penetration tests, vulnerability assessments, social engineering exercises and develops detailed incident response procedures. With experience spanning over 6 years in a Fortune 100 environment he is also CISSP, CEH, GSEC, Security+, Splunk, Rapid 7, ITIL and VMware certified. Zach graduated Summa Cum Laude from McKendree University with a bachelor’s degree in Computer Information Systems. He has worked on the front line of security as an Incident Responder, as a Lead Security Engineer implementing multi-million-dollar projects (SIEM, NGAV, Web Proxies, NGFW) and as a Security Architect migrating business applications to the cloud. In his spare time Zach enjoys spending time with his wife and two kids, gardening and kayak fishing.