[technology taskforce] Fwd: AW: [EURO-Discuss] Zoom Structural Vulnerability Discovered

Dev Anand Teelucksingh devtee at gmail.com
Wed Jul 10 19:26:56 UTC 2019 

Six Colors blog post "Zoom saved you a click—by giving you a security
hole"  : https://sixcolors.com/post/2019/07/zoom/
is an excellent short summary of what Zoom did and whether Zoom would learn
from this. An excerpt :

"My guess is that Zoom’s original sin comes out of its corporate culture,
which is focused on competing in a pretty cutthroat industry with demanding
clients (IT managers) and not particularly technically literate customers
(the individual business users). There’s probably a great fear of losing
business to other businesses who can boast about running video meetings
with ever less friction to the user.

And then Apple comes along and introduces a security feature to Safari that
requires a confirmation click when any link in a web browser attempts to
open an external app. Zoom, which likes to pass around web links as a way
of driving users into conference calls, didn’t look at this security
measure as something to help keep their customers secure—it viewed it as an
addition of friction by the platform owner.

Zoom’s response was to build a secret local web server, which allowed Zoom
to rewrite its hyperlinks to connect to a web server instead of an app—so
the web server could bypass Safari’s security and launch the app without a
second click.

I use Zoom because it’s a superior product to Skype for the large-panel
podcasting that I do, but this issue gives me pause—and not because of the
specific details of this event. No, it’s for what this says about Zoom’s
priorities as a company. When the platform owner decides that web links
shouldn’t open other apps without an approval click—a pretty sensible
security measure—the corporate response shouldn’t be to bypass that click
by invisibly installing a hidden server that’s a potential security hole"
Also, the blog post Zoom posted in response to the security disclosure (
https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/)
was updated several times, in response to the outcry. The July 9 patch to
the Zoom app on Mac devices is live at zoom.us/download
<https://zoom.us/download?zcid=1231> which now removes the local web server
entirely, once the Zoom client has been updated and there will be a further
update to the Zoom client over the weekend regarding user's preference for
video on by default.

Dev Anand









On Wed, Jul 10, 2019 at 2:32 PM Olivier MJ Crépin-Leblond <ocl at gih.com>
wrote:

> Thanks Judith. You know, in these matters there is often some hype that
> makes it bigger than what it actually is, so I'd rather receive good,
> quality advice on this, rather than read the hyperbolic debates on the
> Internet.
> Kindest regards,
>
> Olivier
>
> On 10/07/2019 20:26, Judith Hellerstein wrote:
>
> HI Olivier,
>
> OK will write a note to the Tech team and ask them to do exactly that.
> People are just coming back from Vacations so it is a bit slow.  I know I
> just got last night
>
> Best,
>
> Judith
>
> _________________________________________________________________________
> Judith Hellerstein, Founder & CEO
> Hellerstein & Associates
> 3001 Veazey Terrace NW, Washington DC 20008
> Phone: (202) 362-5139  Skype ID: judithhellerstein
> Mobile/Whats app: +1202-333-6517
> E-mail: Judith at jhellerstein.com   Website: www.jhellerstein.com
> Linked In: www.linkedin.com/in/jhellerstein/
> Opening Telecom & Technology Opportunities Worldwide
>
>
> On 7/10/2019 7:22 PM, Olivier MJ Crépin-Leblond wrote:
>
> Hello all,
>
> discussions are heating up on the topic of Zoom both in NCSG mailing list,
> and on the EURALO discuss mailing list. Isn't this issue more urgent than
> waiting for a future TTF call, the date of which is, at present, not even
> set?
> At least a call from the TTF to ICANN Tech Team to write a Blog of what
> their risk assessment is, with regards to this conferencing technology? In
> the meantime, conversations about this are springing up on several other
> mailing lists...
> Kindest regards,
>
> Olivier
>
>
> -------- Forwarded Message --------
> Subject: AW: [EURO-Discuss] Zoom Structural Vulnerability Discovered
> Date: Wed, 10 Jul 2019 14:12:57 +0000
> From: Mühlberg, Annette <annette.muehlberg at verdi.de>
> <annette.muehlberg at verdi.de>
> To: Jean-Jacques Subrenat <jjs at dyalog.net> <jjs at dyalog.net>,
> ncsg-discuss at listserv.syr.edu <ncsg-discuss at listserv.syr.edu>
> <ncsg-discuss at listserv.syr.edu>, Paul Rosenzweig
> <paul.rosenzweig at redbranchconsulting.com>
> <paul.rosenzweig at redbranchconsulting.com>, EURALO LIST
> <euro-discuss at atlarge-lists.icann.org>
> <euro-discuss at atlarge-lists.icann.org>, Olivier MJ Crepin-Leblond
> <ocl at gih.com> <ocl at gih.com>, maureen.hilyard at gmail.com
> <maureen.hilyard at gmail.com> <maureen.hilyard at gmail.com>
>
> Dear All,
>
> +1 for JJS: set up a specifications sheet for a desirable conferencing
> tool, based on needs expressed by the multi-stakeholder community, and
> publish that as a tender. Offers received could then be reviewed not only
> by Staff, but in consultation with ACs and SOs.
>
>
>
> Such needs include data privacy, technical stability and preferably open
> standards.
>
>
>
> Best regards
>
> Annette
>
>
>
>
>
> ***
>
> *Annette Mühlberg *
>
>
>
> *Von:* EURO-Discuss <euro-discuss-bounces at atlarge-lists.icann.org>
> <euro-discuss-bounces at atlarge-lists.icann.org> *Im Auftrag von *Jean-Jacques
> Subrenat
> *Gesendet:* Mittwoch, 10. Juli 2019 15:22
> *An:* ncsg-discuss at listserv.syr.edu; Paul Rosenzweig
> <paul.rosenzweig at redbranchconsulting.com>
> <paul.rosenzweig at redbranchconsulting.com>; EURALO LIST
> <euro-discuss at atlarge-lists.icann.org>
> <euro-discuss at atlarge-lists.icann.org>; Olivier MJ Crepin-Leblond
> <ocl at gih.com> <ocl at gih.com>; maureen.hilyard at gmail.com
> *Betreff:* Re: [EURO-Discuss] Zoom Structural Vulnerability Discovered
>
>
>
> First, a remark: for Adobe, Zoom or other tool providers, ICANN may not be
> the single largest client, but it is certainly a significant one owing to
> its nature (quasi-regulatory, multi-stakeholder, some parts geared to
> non-commercial users).
>
>
>
> Then, a recommendation to Chairs of ACs and SOs: ICANN Board and CEO could
> be requested to set up a specifications sheet for a desirable conferencing
> tool, based on needs expressed by the multi-stakeholder community, and
> publish that as a tender. Offers received could then be reviewed not only
> by Staff, but in consultation with ACs and SOs.
>
>
>
> This would get us closer to what we, collectively, consider as the
> appropriate tool for the numerous conference calls held throughout ICANN.
>
>
>
> Jean-Jacques Subrenat.
>
>
>
>
>
> Le 10 juillet 2019 à 14:46:20, Paul Rosenzweig (
> paul.rosenzweig at redbranchconsulting.com) a écrit:
>
> This is assuredly right.  The change from Adobe to Zoom may, or may not,
> have been right for ICANN and for this group for any number of reasons
> ranging from cost, to security, to scalability and utility.  But let’s not
> romanticize Adobe.  They are not a terribly secure platform generically.
> As James said, the Zoom response is poor – but we can’t hang that around
> the neck of ICANN org.
>
>
>
> P
>
>
>
> Paul Rosenzweig
>
> paul.rosenzweig at redbranchconsulting.com
>
> O: +1 (202) 547-0660
>
> M: +1 (202) 329-9650
>
> VOIP: +1 (202) 738-1739
>
> www.redbranchconsulting.com
> <https://smex-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fwww.redbranchconsulting.com&umid=c229a495-2a7d-4cae-9bf7-9903622d5c2e&auth=4e1e2e6e47336e7e6bbb545ae21187b18d0da0ad-0f83b2fc00a6214e49105ca52e5410a6110e8337>
>
> My PGP Key:
> https://keys.mailvelope.com/pks/lookup?op=get&search=0x9A830097CA066684
>
>
>
>
>
> *From:* NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> *On Behalf Of *James
> Gannon
> *Sent:* Wednesday, July 10, 2019 12:52 AM
> *To:* NCSG-DISCUSS at LISTSERV.SYR.EDU
> *Subject:* Re: Zoom Structural Vulnerability Discovered
>
>
>
> Just want to call out that Adobe has likely the worst reputation in the
> entire tech industry when it comes to security, I really would not hold
> them out as either prompt or without serious issues (I believe they still
> hold the record for number of CVSS 9+ vulns).
>
> Zooms response is poor I agree, but on a data driven comparison it is a
> far more secure platform.
>
>
>
> *From: *NCSG-Discuss <NCSG-DISCUSS at LISTSERV.SYR.EDU> on behalf of Ayden
> Férdeline <icann at FERDELINE.COM>
> *Reply-To: *Ayden Férdeline <icann at FERDELINE.COM>
> *Date: *Tuesday, 9 July 2019 at 14:13
> *To: *"NCSG-DISCUSS at LISTSERV.SYR.EDU" <NCSG-DISCUSS at LISTSERV.SYR.EDU>
> *Subject: *Re: Zoom Structural Vulnerability Discovered
>
>
>
> That is true, but note that this security researcher notified Zoom of the
> exploit and they were in no rush to repair it. Look at the timeline in the
> Medium post. They only sought to fix it after the vulnerability drew media
> attention.
>
>
>
> Adobe Connect was not perfect but it met our needs and the occasional
> security issues that arose were promptly fixed by Adobe and never as
> serious as this one!
>
>
>
> Best wishes, Ayden
>
>
>
> On Tue, Jul 9, 2019 at 18:07, Adeel Sadiq <11beeasadiq at seecs.edu.pk>
> wrote:
>
> Speaking from a technical perspective, no software is perfect or bug-free.
> Its only a matter of time a loophole is found and exploited and eventually
> patched up. If you think Adobe Connect or ezTalks were/are free of these
> architectural issues, think again! That's the way we technical community do
> things.
>
>
>
> Regards
>
>
>
> Adeel
>
> Pakistan
>
>
>
> On Wed, Jul 10, 2019 at 1:37 AM Ayden Férdeline <icann at ferdeline.com>
> wrote:
>
> Unfortunately, uninstalling the application does not rectify the
> situation, due to poor architecture (acknowledged by Zoom on their blog
> today). They are working on a fix, now that public scrutiny demands one. So
> disappointing that ICANN has put us in this terrible situation.
>
>
>
> Ayden
>
>
>
>
>
> On Tue, Jul 9, 2019 at 16:15, Vaibhav Aggarwal, Catalyst & Group CEO <
> va at BLADEBRAINS.COM> wrote:
>
> Thanks for this. Till the next Update, I have removed the Zoom For Mac
> Client with immediate effect.
>
>
>
> Regards,
>
> Vaibhav Aggarwal
>
> New Delhi
>
> VaibhavAggarwal.com
>
>
>
>
>
> On Jul 10, 2019, at 12:30 AM, Michael Karanicolas <mkaranicolas at GMAIL.COM>
> wrote:
>
>
>
> Hey - remember when ICANN switched everyone from Adobe over to Zoom as a
> way of enhancing information security and data privacy?
>
>
>
> "A vulnerability in the Mac Zoom Client allows any malicious website to
> enable your camera without your permission... This vulnerability allows any
> website to forcibly join a user to a Zoom call, with their video camera
> activated, without the user's permission. On top of this, this
> vulnerability would have allowed any webpage to DOS (Denial of Service) a
> Mac by repeatedly joining a user to an invalid call. Additionally, if
> you’ve ever installed the Zoom client and then uninstalled it, you still
> have a localhost web server on your machine that will happily re-install
> the Zoom client for you, without requiring any user interaction on your
> behalf besides visiting a webpage. This re-install ‘feature’ continues to
> work to this day."
>
>
>
> Read more here:
> https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> ttf mailing listttf at atlarge-lists.icann.orghttps://mm.icann.org/mailman/listinfo/ttf
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
>
> _______________________________________________
> ttf mailing listttf at atlarge-lists.icann.orghttps://mm.icann.org/mailman/listinfo/ttf
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
>
> --
> Olivier MJ Crépin-Leblond, PhDhttp://www.gih.com/ocl.html
>
> _______________________________________________
> ttf mailing list
> ttf at atlarge-lists.icann.org
> https://mm.icann.org/mailman/listinfo/ttf
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ttf/attachments/20190710/1bdc27dd/attachment-0001.html>

More information about the ttf mailing list