Comprehensive Software Reviews to make better IT decisions
Cisco Suffers Security Flaw With Zoom Interoperability
On October 31, 2019, Cisco was notified of a security risk with the Zoom Connector for Cisco. Access for the Zoom Connector for Cisco hosted on zoom.us did not require authentication, allowing external users to join a Zoom meeting without password credentials.
Furthermore, Zoom’s landing page copied Cisco’s landing page, misleading users into thinking they were on a secure Cisco webpage.
Cisco named three major security problems that resulted from this incident:
- The Zoom URL did not require credentials.
- Zoom exposed Cisco Webex Devices to administrative exposure by placing itself between the user and the Cisco interface.
- The Zoom URL did not get revoked if the administration password was changed.
Source: Web Conferencing at SoftwareReviews. Accessed November 11, 2019
Cisco’s announcement of this security issue beat the press to the fold. The result is that Cisco has been able to shape the narrative of this incident – and it doesn’t portray Zoom in a good light. Given Zoom’s security problem earlier this year, which saw an exposure in Zoom’s APIs for Webex, Cisco is losing patience.
Sri Srinivasan, SVP and GM for the Team Collaboration Group at Cisco, issued this stark statement: “We [Cisco] would like them [Zoom] to take additional steps to use our supported APIs and work with us to certify the solution so that we can secure our mutual customers effectively.”
Yet in a competitive collaboration marketplace, the harsh reality is that Cisco and Zoom need to ensure interoperability. Microsoft’s Teams offering is making serious traction in this space, and Cisco and Zoom cannot afford to lose out on users due to security problems.
However, Cisco’s public statement will be a jolt to Zoom, who will be left to suffer by themselves if their security issues are not resolved. After all, as Srinivasan continued, though interoperability is convenient, it “comes with zero compromises on security and data integrity.” Abandoning Zoom may not be attractive, but it would certainly limit the fallout if Zoom’s security problems become more frequent.
Want to Know More?
IT leaders have had to learn to facilitate remote meetings overnight. If this transition has been difficult, refer to these guidelines for help.
Microsoft’s end-of-life support for Windows 7 has run into its first set of issues with its extended security updates (ESUs). Administrators who paid for the ESU found out their downloads are not applying.
Qualys’ newest product, VMDR (Vulnerability Management, Detection, and Response), will be available in March and will provide an all-in-one cloud-based solution for vulnerability management. VMDR will automate the entire management cycle on all endpoints.
Web conferencing vendors lined up to offer their software services for free on Monday as workers around the globe started their weeks working from home, complying with social distancing recommendations in reaction to the COVID-19 pandemic.
Microsoft has added its Windows 10 Tamper Protection controls to the public version of Microsoft Defender. Previously available only to enterprise users, Tamper Protection is intended to better detect threats that make it past other defences and to provide remediation suggestions.
Users of GoToMeeting’s webinar-hosting software can now charge registrants and accept their payments natively within the software solution, the vendor announced on Feb. 27.
Qualys Research Labs, a vulnerability management provider, discovered a vulnerability in the OpenSMTPD Mail server used in conjunction with the OpenBSD operating system. This flaw allows for an attacker to execute arbitrary code with command privileges.
A leaked UN report showed that servers were compromised during a cyberattack that exploited an older version of Microsoft SharePoint. This breach is a case study in the importance of both patch management and transparency.
Reported by Microsoft on January 17, the company admitted to another vulnerability in the older versions of its Windows products. A vulnerability in the remote code execution (RCE) was found in the scripting engine of Internet Explorer (IE).