[technology taskforce] Fwd: AW: [EURO-Discuss] Zoom Structural Vulnerability Discovered

Olivier MJ Crépin-Leblond ocl at gih.com
Wed Jul 10 18:22:35 UTC 2019

Hello all,

discussions are heating up on the topic of Zoom both in NCSG mailing
list, and on the EURALO discuss mailing list. Isn't this issue more
urgent than waiting for a future TTF call, the date of which is, at
present, not even set?
At least a call from the TTF to ICANN Tech Team to write a Blog of what
their risk assessment is, with regards to this conferencing technology?
In the meantime, conversations about this are springing up on several
other mailing lists...
Kindest regards,


-------- Forwarded Message --------
Subject: 	AW: [EURO-Discuss] Zoom Structural Vulnerability Discovered
Date: 	Wed, 10 Jul 2019 14:12:57 +0000
From: 	Mühlberg, Annette <annette.muehlberg at verdi.de>
To: 	Jean-Jacques Subrenat <jjs at dyalog.net>,
ncsg-discuss at listserv.syr.edu <ncsg-discuss at listserv.syr.edu>, Paul
Rosenzweig <paul.rosenzweig at redbranchconsulting.com>, EURALO LIST
<euro-discuss at atlarge-lists.icann.org>, Olivier MJ Crepin-Leblond
<ocl at gih.com>, maureen.hilyard at gmail.com <maureen.hilyard at gmail.com>

Dear All,

+1 for JJS: set up a specifications sheet for a desirable conferencing
tool, based on needs expressed by the multi-stakeholder community, and
publish that as a tender. Offers received could then be reviewed not
only by Staff, but in consultation with ACs and SOs.


Such needs include data privacy, technical stability and preferably open


Best regards





*Annette Mühlberg *


*Von:*EURO-Discuss <euro-discuss-bounces at atlarge-lists.icann.org> *Im
Auftrag von *Jean-Jacques Subrenat
*Gesendet:* Mittwoch, 10. Juli 2019 15:22
*An:* ncsg-discuss at listserv.syr.edu; Paul Rosenzweig
<paul.rosenzweig at redbranchconsulting.com>; EURALO LIST
<euro-discuss at atlarge-lists.icann.org>; Olivier MJ Crepin-Leblond
<ocl at gih.com>; maureen.hilyard at gmail.com
*Betreff:* Re: [EURO-Discuss] Zoom Structural Vulnerability Discovered


First, a remark: for Adobe, Zoom or other tool providers, ICANN may not
be the single largest client, but it is certainly a significant one
owing to its nature (quasi-regulatory, multi-stakeholder, some parts
geared to non-commercial users).


Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO
could be requested to set up a specifications sheet for a desirable
conferencing tool, based on needs expressed by the multi-stakeholder
community, and publish that as a tender. Offers received could then be
reviewed not only by Staff, but in consultation with ACs and SOs.


This would get us closer to what we, collectively, consider as the
appropriate tool for the numerous conference calls held throughout ICANN.


Jean-Jacques Subrenat.



Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig
(paul.rosenzweig at redbranchconsulting.com
<mailto:paul.rosenzweig at redbranchconsulting.com>) a écrit:

    This is assuredly right.  The change from Adobe to Zoom may, or may
    not, have been right for ICANN and for this group for any number of
    reasons ranging from cost, to security, to scalability and utility. 
    But let’s not romanticize Adobe.  They are not a terribly secure
    platform generically.  As James said, the Zoom response is poor –
    but we can’t hang that around the neck of ICANN org. 




    Paul Rosenzweig

    paul.rosenzweig at redbranchconsulting.com
    <mailto:paul.rosenzweig at redbranchconsulting.com>

    O: +1 (202) 547-0660

    M: +1 (202) 329-9650

    VOIP: +1 (202) 738-1739


    My PGP Key:



    <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>> *On Behalf Of *James Gannon
    *Sent:* Wednesday, July 10, 2019 12:52 AM
    *Subject:* Re: Zoom Structural Vulnerability Discovered


    Just want to call out that Adobe has likely the worst reputation in
    the entire tech industry when it comes to security, I really would
    not hold them out as either prompt or without serious issues (I
    believe they still hold the record for number of CVSS 9+ vulns).

    Zooms response is poor I agree, but on a data driven comparison it
    is a far more secure platform.


    <mailto:NCSG-DISCUSS at LISTSERV.SYR.EDU>> on behalf of Ayden Férdeline
    <icann at FERDELINE.COM <mailto:icann at FERDELINE.COM>>
    *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM
    <mailto:icann at FERDELINE.COM>>
    *Date: *Tuesday, 9 July 2019 at 14:13
    *Subject: *Re: Zoom Structural Vulnerability Discovered


    That is true, but note that this security researcher notified Zoom
    of the exploit and they were in no rush to repair it. Look at the
    timeline in the Medium post. They only sought to fix it after the
    vulnerability drew media attention. 


    Adobe Connect was not perfect but it met our needs and the
    occasional security issues that arose were promptly fixed by Adobe
    and never as serious as this one!


    Best wishes, Ayden


    On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq <11beeasadiq at seecs.edu.pk
    <mailto:11beeasadiq at seecs.edu.pk>> wrote:

        Speaking from a technical perspective, no software is perfect or
        bug-free. Its only a matter of time a loophole is found and
        exploited and eventually patched up. If you think Adobe Connect
        or ezTalks were/are free of these architectural issues, think
        again! That's the way we technical community do things.







        On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline
        <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:

            Unfortunately, uninstalling the application does not rectify
            the situation, due to poor architecture (acknowledged by
            Zoom on their blog today). They are working on a fix, now
            that public scrutiny demands one. So disappointing
            that ICANN has put us in this terrible situation. 





            On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst &
            Group CEO <va at BLADEBRAINS.COM <mailto:va at BLADEBRAINS.COM>>

                Thanks for this. Till the next Update, I have removed
                the Zoom For Mac Client with immediate effect. 



                Vaibhav Aggarwal

                New Delhi

                VaibhavAggarwal.com <http://VaibhavAggarwal.com> 



                    On Jul 10, 2019, at 12:30 AM, Michael Karanicolas
                    <mkaranicolas at GMAIL.COM
                    <mailto:mkaranicolas at GMAIL.COM>> wrote:


                    Hey - remember when ICANN switched everyone from
                    Adobe over to Zoom as a way of enhancing information
                    security and data privacy?


                    "A vulnerability in the Mac Zoom Client allows any
                    malicious website to enable your camera without your
                    permission... This vulnerability allows any website
                    to forcibly join a user to a Zoom call, with their
                    video camera activated, without the user's
                    permission. On top of this, this vulnerability would
                    have allowed any webpage to DOS (Denial of Service)
                    a Mac by repeatedly joining a user to an invalid
                    call. Additionally, if you’ve ever installed the
                    Zoom client and then uninstalled it, you still have
                    a localhost web server on your machine that will
                    happily re-install the Zoom client for you, without
                    requiring any user interaction on your behalf
                    besides visiting a webpage. This re-install
                    ‘feature’ continues to work to this day."


                    Read more
                    here: https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ttf/attachments/20190710/48bb86bc/attachment-0001.html>

More information about the ttf mailing list