<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Hi Rubens,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>OMG. And do we have to do anything, or is Zoom updating the software (Windows; Android) automatically? Do we need to “patch” smth, delete the application and reinstall? (I for example do not use Mac/Apple – only Android and Windows).<br><br>Thanks for the warning,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Alexander<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> Gnso-newgtld-wg [mailto:gnso-newgtld-wg-bounces@icann.org] <b>On Behalf Of </b>Rubens Kuhl<br><b>Sent:</b> Wednesday, July 10, 2019 1:50 PM<br><b>To:</b> Vaibhav Aggarwal, Catalyst & Group CEO <va@bladebrains.com><br><b>Cc:</b> goran.marby@icann.org; ericsyuan2011@gmail.com; Priscilla McCarthy <priscilla.barolo@zoom.us>; Dorrain, Kristine via Gnso-newgtld-wg <gnso-newgtld-wg@icann.org>; Zoom Press <press@zoom.us><br><b>Subject:</b> Re: [Gnso-newgtld-wg] Please specify & Clarify is My Privacy at Risk?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>VA,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It's customary in the information security practice to not disclose vulnerabilities before a solution is provided by the software author, in order to better serve public interest. And this process was followed in this case by both the security researcher that identified it and Zoom and Zoom itself, but in the end it was clear that Zoom was not willing to change the architecture to really solve the problem. That made the security researcher disclose the vulnerability at the end of the customary 3-month period, which forced Zoom's hand and starting version 4.4.4 release 53932 it seems to be solved now. See <a href="https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-Mac-OS">https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-Mac-OS</a> . <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>You can read more about responsible disclosure in <a href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md">https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.md</a> . <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Zoom trying to downplay the severity of this vulnerability is indeed a problem; it was not low risk, and their attitude of thinking that prevented they fixed it in time, requiring a 0-day attack to be disclosed before they actually plugged the hole. Fixing people is harder than fixing software, and the handling of this does not bring any confidence to how they will handle other vulnerabilities in the future. The full recap published by the security researcher is worth reading:<o:p></o:p></p></div><div><p class=MsoNormal><a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5">https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Rubens<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On 10 Jul 2019, at 01:47, Vaibhav Aggarwal, Catalyst & Group CEO <<a href="mailto:va@bladebrains.com">va@bladebrains.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Dear Priscillia,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I appreciate your response. But this is too little and too late. If there was a Vulnerability, why were we not informed earlier as a customer / User. Secondly, I will need to understand what is the extent of this vulnerability. By Saying “Low risk Vulnerability” it is clearly showing that you are not willing to elucidate and want to either brush it under the carpet or ignore or underplay the risk. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>This is a mandatory disclosure you need to do as it is my privacy at stake. This is Super Important. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regards,<o:p></o:p></p></div><div><p class=MsoNormal>-VA<o:p></o:p></p></div><div><div><p class=MsoNormal><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>On Jul 10, 2019, at 2:44 AM, Priscilla McCarthy <<a href="mailto:priscilla.barolo@zoom.us">priscilla.barolo@zoom.us</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Hi there Vaibhav,<o:p></o:p></p><div><p class=MsoNormal>Thank you for your email. These are low-risk vulnerabilities that apply only to Mac users, and we have drafted a blog post discussing them. We are updating our service tonight and this coming weekend. When you see prompted updates, you should update your Zoom app to ensure your security. Here is more information: <a href="https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/">https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/</a><o:p></o:p></p></div><div><p class=MsoNormal>Thank you!<br clear=all><o:p></o:p></p><div><div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 style='border-collapse:collapse'><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=0 style='width:330.0pt;border-collapse:collapse'><tr><td width=66 valign=top style='width:48.0pt;padding:0cm 11.25pt 0cm 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='mso-line-height-alt:0pt'><span style='font-family:"Arial",sans-serif;color:#333333'><a href="https://zoom.us/"><span style='text-decoration:none'><img border=0 id="_x0000_i1025" src="https://smart.zoom.us/v2/imagebucket/zoom.us/Camera_Icon.png" alt=" "></span></a><o:p></o:p></span></p></div></td><td width=374 valign=top style='width:270.75pt;padding:0cm 0cm 0cm 0cm'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=0 style='width:270.75pt;border-collapse:collapse'><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='line-height:12.0pt'><b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'>Priscilla Barolo <o:p></o:p></span></b></p></div></td></tr><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='line-height:12.0pt'><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'>Manager, Communications <o:p></o:p></span></p></div></td></tr><tr><td valign=top style='padding:0cm 0cm 3.0pt 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='line-height:12.0pt'><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'>Zoom Video Communications <o:p></o:p></span></p></div></td></tr><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='line-height:12.0pt'><b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'>Call</span></b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'> <a href="tel:650-438-9456"><span style='color:#333333;text-decoration:none'>650-438-9456</span></a></span><b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#B7B7B7'> | </span></b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'> <b>Click</b> <a href="https://zoom.us/"><span style='color:#0D89FE'>zoom.us</span></a> </span><b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#B7B7B7'> | </span></b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'> <b>Zoom</b> <a href="http://zoom.us/j/650-438-9456"><span style='color:#333333;text-decoration:none'>650-438-9456</span></a> <o:p></o:p></span></p></div></td></tr><tr><td valign=top style='padding:5.25pt 0cm 1.5pt 0cm'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=0 style='width:0cm;border-collapse:collapse'><tr><td width=30 valign=top style='width:19.5pt;padding:0cm 3.0pt 0cm 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='mso-line-height-alt:9.75pt'><span style='font-family:"Arial",sans-serif;color:#333333'><a href="http://www.facebook.com/zoomvideocommunications"><span style='text-decoration:none'><img border=0 width=24 height=24 id="_x0000_i1026" src="https://smart.zoom.us/v2/imagebucket/zoom.us/facebook.png"></span></a><o:p></o:p></span></p></div></td><td width=30 valign=top style='width:19.5pt;padding:0cm 3.0pt 0cm 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='mso-line-height-alt:9.75pt'><span style='font-family:"Arial",sans-serif;color:#333333'><a href="http://www.twitter.com/zoom_us"><span style='text-decoration:none'><img border=0 width=24 height=24 id="_x0000_i1027" src="https://smart.zoom.us/v2/imagebucket/zoom.us/twitter.png"></span></a><o:p></o:p></span></p></div></td><td width=30 valign=top style='width:19.5pt;padding:0cm 3.0pt 0cm 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='mso-line-height-alt:9.75pt'><span style='font-family:"Arial",sans-serif;color:#333333'><a href="http://www.linkedin.com/company/zoom-video-communications-inc-/"><span style='text-decoration:none'><img border=0 width=24 height=24 id="_x0000_i1028" src="https://smart.zoom.us/v2/imagebucket/zoom.us/linkedin.png"></span></a><o:p></o:p></span></p></div></td><td width=107 valign=top style='width:71.25pt;padding:0cm 3.0pt 0cm 0cm'><div style='margin-left:.75pt;margin-top:.75pt;margin-right:.75pt;margin-bottom:.75pt'><p class=MsoNormal style='mso-line-height-alt:9.75pt'><span style='font-family:"Arial",sans-serif;color:#333333'><a href="https://zoom.us/referrals"><span style='text-decoration:none'><img border=0 width=101 height=24 id="_x0000_i1029" src="https://smart.zoom.us/v2/imagebucket/zoom.us/refer-friend.png"></span></a><o:p></o:p></span></p></div></td></tr></table></td></tr></table></td></tr></table></td></tr><tr><td style='padding:0cm 0cm 0cm 0cm;min-width:147px'><div align=center><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=0 style='width:330.0pt'><tr style='height:.75pt'><td style='padding:0cm 0cm 0cm 0cm;height:.75pt'><p class=MsoNormal style='mso-line-height-alt:.75pt'><img border=0 width=147 height=1 id="_x0000_i1030" src="https://smart.zoom.us/v2/imagebucket/zoom.us/1x1.png"><o:p></o:p></p></td><td style='padding:0cm 0cm 0cm 0cm;height:.75pt;min-width:147px'><p class=MsoNormal style='mso-line-height-alt:.75pt'><img border=0 width=147 height=1 id="_x0000_i1031" src="https://smart.zoom.us/v2/imagebucket/zoom.us/1x1.png"><o:p></o:p></p></td><td style='padding:0cm 0cm 0cm 0cm;height:.75pt;min-width:147px'><p class=MsoNormal style='mso-line-height-alt:.75pt'><img border=0 width=147 height=1 id="_x0000_i1032" src="https://smart.zoom.us/v2/imagebucket/zoom.us/1x1.png"><o:p></o:p></p></td></tr></table></div></td></tr></table><p class=MsoNormal><br><br><a href="https://smart.zoom.us/v2/a/zoomtopia19/5d2503c401ca44fa0d942282-OjqXg/httpszoomtopia.us"><span style='text-decoration:none'><img border=0 width=400 id="_x0000_i1033" src="https://smart.zoom.us/v2/a/zoomtopia19/5d2503c401ca44fa0d942282-OjqXg/logo.png" alt=zoomtopia19></span></a><o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Tue, Jul 9, 2019 at 12:20 PM Vaibhav Aggarwal <<a href="mailto:va@thevaibhav.com">va@thevaibhav.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal>Dear Eric,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am in receipt of this following email content : <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Hey - remember when ICANN switched everyone from Adobe over to Zoom as a way of enhancing information security and data privacy?<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>"A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission... This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day."<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Read more here: <a href="https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5" target="_blank">https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5</a><o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Please Clarify if my privacy at risk. And the steps taken to protect my privacy.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regards,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Vaibhav Aggarwal<o:p></o:p></p></div><div><p class=MsoNormal>New Delhi, India<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://vaibhavaggarwal.com/" target="_blank">vaibhavaggarwal.com</a> <o:p></o:p></p></div><div><p class=MsoNormal><a href="http://twitter.com/thevaibhag" target="_blank">twitter.com/thevaibhag</a><o:p></o:p></p></div><div><p class=MsoNormal><a href="http://youtube.com/+vaibhavaggarwalindia" target="_blank">youtube.com/+vaibhavaggarwalindia</a> <o:p></o:p></p></div></div></blockquote></div></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal>_______________________________________________<br>Gnso-newgtld-wg mailing list<br><a href="mailto:Gnso-newgtld-wg@icann.org">Gnso-newgtld-wg@icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/gnso-newgtld-wg">https://mm.icann.org/mailman/listinfo/gnso-newgtld-wg</a><br>_______________________________________________<br>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<o:p></o:p></p></div></blockquote></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>