[technology taskforce] Fwd: AW: [EURO-Discuss] Zoom Structural Vulnerability Discovered

Dev Anand Teelucksingh devtee at gmail.com
Thu Jul 11 00:04:39 UTC 2019


Interestingly, Apple has pushed a MacOS update to remove the undocumented
webserver installed by Zoom
https://arstechnica.com/information-technology/2019/07/silent-mac-update-nukes-dangerous-webserver-installed-by-zoom/


Dev Anand

On Wed, Jul 10, 2019 at 3:26 PM Dev Anand Teelucksingh <devtee at gmail.com>
wrote:

> Six Colors blog post "Zoom saved you a click—by giving you a security
> hole"  : https://sixcolors.com/post/2019/07/zoom/
> is an excellent short summary of what Zoom did and whether Zoom would
> learn from this. An excerpt :
>
> "My guess is that Zoom’s original sin comes out of its corporate culture,
> which is focused on competing in a pretty cutthroat industry with demanding
> clients (IT managers) and not particularly technically literate customers
> (the individual business users). There’s probably a great fear of losing
> business to other businesses who can boast about running video meetings
> with ever less friction to the user.
>
> And then Apple comes along and introduces a security feature to Safari
> that requires a confirmation click when any link in a web browser attempts
> to open an external app. Zoom, which likes to pass around web links as a
> way of driving users into conference calls, didn’t look at this security
> measure as something to help keep their customers secure—it viewed it as an
> addition of friction by the platform owner.
>
> Zoom’s response was to build a secret local web server, which allowed Zoom
> to rewrite its hyperlinks to connect to a web server instead of an app—so
> the web server could bypass Safari’s security and launch the app without a
> second click.
>
> I use Zoom because it’s a superior product to Skype for the large-panel
> podcasting that I do, but this issue gives me pause—and not because of the
> specific details of this event. No, it’s for what this says about Zoom’s
> priorities as a company. When the platform owner decides that web links
> shouldn’t open other apps without an approval click—a pretty sensible
> security measure—the corporate response shouldn’t be to bypass that click
> by invisibly installing a hidden server that’s a potential security hole"
> Also, the blog post Zoom posted in response to the security disclosure (
> https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/)
> was updated several times, in response to the outcry. The July 9 patch to
> the Zoom app on Mac devices is live at zoom.us/download
> <https://zoom.us/download?zcid=1231> which now removes the local web
> server entirely, once the Zoom client has been updated and there will be a
> further update to the Zoom client over the weekend regarding user's
> preference for video on by default.
>
> Dev Anand
>
>
>
>
>
>
>
>
>
> On Wed, Jul 10, 2019 at 2:32 PM Olivier MJ Crépin-Leblond <ocl at gih.com>
> wrote:
>
>> Thanks Judith. You know, in these matters there is often some hype that
>> makes it bigger than what it actually is, so I'd rather receive good,
>> quality advice on this, rather than read the hyperbolic debates on the
>> Internet.
>> Kindest regards,
>>
>> Olivier
>>
>> On 10/07/2019 20:26, Judith Hellerstein wrote:
>>
>> HI Olivier,
>>
>> OK will write a note to the Tech team and ask them to do exactly that.
>> People are just coming back from Vacations so it is a bit slow.  I know I
>> just got last night
>>
>> Best,
>>
>> Judith
>>
>> _________________________________________________________________________
>> Judith Hellerstein, Founder & CEO
>> Hellerstein & Associates
>> 3001 Veazey Terrace NW, Washington DC 20008
>> Phone: (202) 362-5139  Skype ID: judithhellerstein
>> Mobile/Whats app: +1202-333-6517
>> E-mail: Judith at jhellerstein.com   Website: www.jhellerstein.com
>> Linked In: www.linkedin.com/in/jhellerstein/
>> Opening Telecom & Technology Opportunities Worldwide
>>
>>
>> On 7/10/2019 7:22 PM, Olivier MJ Crépin-Leblond wrote:
>>
>> Hello all,
>>
>> discussions are heating up on the topic of Zoom both in NCSG mailing
>> list, and on the EURALO discuss mailing list. Isn't this issue more urgent
>> than waiting for a future TTF call, the date of which is, at present, not
>> even set?
>> At least a call from the TTF to ICANN Tech Team to write a Blog of what
>> their risk assessment is, with regards to this conferencing technology? In
>> the meantime, conversations about this are springing up on several other
>> mailing lists...
>> Kindest regards,
>>
>> Olivier
>>
>>
>> -------- Forwarded Message --------
>> Subject: AW: [EURO-Discuss] Zoom Structural Vulnerability Discovered
>> Date: Wed, 10 Jul 2019 14:12:57 +0000
>> From: Mühlberg, Annette <annette.muehlberg at verdi.de>
>> <annette.muehlberg at verdi.de>
>> To: Jean-Jacques Subrenat <jjs at dyalog.net> <jjs at dyalog.net>,
>> ncsg-discuss at listserv.syr.edu <ncsg-discuss at listserv.syr.edu>
>> <ncsg-discuss at listserv.syr.edu>, Paul Rosenzweig
>> <paul.rosenzweig at redbranchconsulting.com>
>> <paul.rosenzweig at redbranchconsulting.com>, EURALO LIST
>> <euro-discuss at atlarge-lists.icann.org>
>> <euro-discuss at atlarge-lists.icann.org>, Olivier MJ Crepin-Leblond
>> <ocl at gih.com> <ocl at gih.com>, maureen.hilyard at gmail.com
>> <maureen.hilyard at gmail.com> <maureen.hilyard at gmail.com>
>>
>> Dear All,
>>
>> +1 for JJS: set up a specifications sheet for a desirable conferencing
>> tool, based on needs expressed by the multi-stakeholder community, and
>> publish that as a tender. Offers received could then be reviewed not only
>> by Staff, but in consultation with ACs and SOs.
>>
>>
>>
>> Such needs include data privacy, technical stability and preferably open
>> standards.
>>
>>
>>
>> Best regards
>>
>> Annette
>>
>>
>>
>>
>>
>> ***
>>
>> *Annette Mühlberg *
>>
>>
>>
>> *Von:* EURO-Discuss <euro-discuss-bounces at atlarge-lists.icann.org>
>> <euro-discuss-bounces at atlarge-lists.icann.org> *Im Auftrag von *Jean-Jacques
>> Subrenat
>> *Gesendet:* Mittwoch, 10. Juli 2019 15:22
>> *An:* ncsg-discuss at listserv.syr.edu; Paul Rosenzweig
>> <paul.rosenzweig at redbranchconsulting.com>
>> <paul.rosenzweig at redbranchconsulting.com>; EURALO LIST
>> <euro-discuss at atlarge-lists.icann.org>
>> <euro-discuss at atlarge-lists.icann.org>; Olivier MJ Crepin-Leblond
>> <ocl at gih.com> <ocl at gih.com>; maureen.hilyard at gmail.com
>> *Betreff:* Re: [EURO-Discuss] Zoom Structural Vulnerability Discovered
>>
>>
>>
>> First, a remark: for Adobe, Zoom or other tool providers, ICANN may not
>> be the single largest client, but it is certainly a significant one owing
>> to its nature (quasi-regulatory, multi-stakeholder, some parts geared to
>> non-commercial users).
>>
>>
>>
>> Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO
>> could be requested to set up a specifications sheet for a desirable
>> conferencing tool, based on needs expressed by the multi-stakeholder
>> community, and publish that as a tender. Offers received could then be
>> reviewed not only by Staff, but in consultation with ACs and SOs.
>>
>>
>>
>> This would get us closer to what we, collectively, consider as the
>> appropriate tool for the numerous conference calls held throughout ICANN.
>>
>>
>>
>> Jean-Jacques Subrenat.
>>
>>
>>
>>
>>
>> Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig (
>> paul.rosenzweig at redbranchconsulting.com) a écrit:
>>
>> This is assuredly right.  The change from Adobe to Zoom may, or may not,
>> have been right for ICANN and for this group for any number of reasons
>> ranging from cost, to security, to scalability and utility.  But let’s not
>> romanticize Adobe.  They are not a terribly secure platform generically.
>> As James said, the Zoom response is poor – but we can’t hang that around
>> the neck of ICANN org.
>>
>>
>>
>> P
>>
>>
>>
>> Paul Rosenzweig
>>
>> paul.rosenzweig at redbranchconsulting.com
>>
>> O: +1 (202) 547-0660
>>
>> M: +1 (202) 329-9650
>>
>> VOIP: +1 (202) 738-1739
>>
>> www.redbranchconsulting.com
>> <https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.redbranchconsulting.com&umid=c229a495-2a7d-4cae-9bf7-9903622d5c2e&auth=4e1e2e6e47336e7e6bbb545ae21187b18d0da0ad-0f83b2fc00a6214e49105ca52e5410a6110e8337>
>>
>> My PGP Key:
>> https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684
>>
>>
>>
>>
>>
>> *From:* NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> *On Behalf Of *James
>> Gannon
>> *Sent:* Wednesday, July 10, 2019 12:52 AM
>> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
>> *Subject:* Re: Zoom Structural Vulnerability Discovered
>>
>>
>>
>> Just want to call out that Adobe has likely the worst reputation in the
>> entire tech industry when it comes to security, I really would not hold
>> them out as either prompt or without serious issues (I believe they still
>> hold the record for number of CVSS 9+ vulns).
>>
>> Zooms response is poor I agree, but on a data driven comparison it is a
>> far more secure platform.
>>
>>
>>
>> *From: *NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> on behalf of Ayden
>> Férdeline <icann at FERDELINE.COM>
>> *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM>
>> *Date: *Tuesday, 9 July 2019 at 14:13
>> *To: *"NCSG-DISCUSS at LISTSERV.SYR.EDU" <NCSG-DISCUSS at LISTSERV.SYR.EDU>
>> *Subject: *Re: Zoom Structural Vulnerability Discovered
>>
>>
>>
>> That is true, but note that this security researcher notified Zoom of the
>> exploit and they were in no rush to repair it. Look at the timeline in the
>> Medium post. They only sought to fix it after the vulnerability drew media
>> attention.
>>
>>
>>
>> Adobe Connect was not perfect but it met our needs and the occasional
>> security issues that arose were promptly fixed by Adobe and never as
>> serious as this one!
>>
>>
>>
>> Best wishes, Ayden
>>
>>
>>
>> On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq <11beeasadiq at seecs.edu.pk>
>> wrote:
>>
>> Speaking from a technical perspective, no software is perfect or
>> bug-free. Its only a matter of time a loophole is found and exploited and
>> eventually patched up. If you think Adobe Connect or ezTalks were/are free
>> of these architectural issues, think again! That's the way we technical
>> community do things.
>>
>>
>>
>> Regards
>>
>>
>>
>> Adeel
>>
>> Pakistan
>>
>>
>>
>> On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline <icann at ferdeline.com>
>> wrote:
>>
>> Unfortunately, uninstalling the application does not rectify the
>> situation, due to poor architecture (acknowledged by Zoom on their blog
>> today). They are working on a fix, now that public scrutiny demands one. So
>> disappointing that ICANN has put us in this terrible situation.
>>
>>
>>
>> Ayden
>>
>>
>>
>>
>>
>> On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst & Group CEO <
>> va at BLADEBRAINS.COM> wrote:
>>
>> Thanks for this. Till the next Update, I have removed the Zoom For Mac
>> Client with immediate effect.
>>
>>
>>
>> Regards,
>>
>> Vaibhav Aggarwal
>>
>> New Delhi
>>
>> VaibhavAggarwal.com
>>
>>
>>
>>
>>
>> On Jul 10, 2019, at 12:30 AM, Michael Karanicolas <mkaranicolas at GMAIL.COM>
>> wrote:
>>
>>
>>
>> Hey - remember when ICANN switched everyone from Adobe over to Zoom as a
>> way of enhancing information security and data privacy?
>>
>>
>>
>> "A vulnerability in the Mac Zoom Client allows any malicious website to
>> enable your camera without your permission... This vulnerability allows any
>> website to forcibly join a user to a Zoom call, with their video camera
>> activated, without the user's permission. On top of this, this
>> vulnerability would have allowed any webpage to DOS (Denial of Service) a
>> Mac by repeatedly joining a user to an invalid call. Additionally, if
>> you’ve ever installed the Zoom client and then uninstalled it, you still
>> have a localhost web server on your machine that will happily re-install
>> the Zoom client for you, without requiring any user interaction on your
>> behalf besides visiting a webpage. This re-install ‘feature’ continues to
>> work to this day."
>>
>>
>>
>> Read more here:
>> https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> ttf mailing listttf at atlarge-lists.icann.orghttps://mm.icann.org/mailman/listinfo/ttf
>>
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>>
>>
>> _______________________________________________
>> ttf mailing listttf at atlarge-lists.icann.orghttps://mm.icann.org/mailman/listinfo/ttf
>>
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>>
>>
>> --
>> Olivier MJ Crépin-Leblond, PhDhttp://www.gih.com/ocl.html
>>
>> _______________________________________________
>> ttf mailing list
>> ttf at atlarge-lists.icann.org
>> https://mm.icann.org/mailman/listinfo/ttf
>>
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your
>> personal data for purposes of subscribing to this mailing list accordance
>> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
>> the website Terms of Service (https://www.icann.org/privacy/tos). You
>> can visit the Mailman link above to change your membership status or
>> configuration, including unsubscribing, setting digest-style delivery or
>> disabling delivery altogether (e.g., for a vacation), and so on.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ttf/attachments/20190710/e6cd6de3/attachment-0001.html>


More information about the ttf mailing list