Comprehensive software reviews to make better IT decisions
Two New Zoom Vulnerabilities Uncovered – Upgrade Now!
Two new vulnerabilities in Zoom’s web conferencing software were discovered in early June 2020. These vulnerabilities could allow malicious actors the ability to execute arbitrary code on target hosts and exploit path traversal vulnerabilities in the software. Zoom’s latest update addresses and remediates the vulnerabilities.
Path Traversal attacks enable access to files and directories outside of a web root folder, which would allow a malicious actor to access files stored on a system that were not meant to be publicly available to the web application.
The vulnerabilities were uncovered by Cisco Talos and are listed under Common Vulnerabilities and Exposures (CVE) ID numbers CVE-2020-6109 and CVE-2020-6110. CVE-2020-6109 affects GIPHY, the messaging and animated GIF application. CVE-2020-6110 exploits a chat code snippet in Zoom.
The vulnerabilities are found in version 4.6 of Zoom, one of which “impacts Zoom 4.6.10, 4.6.11 and likely earlier versions, [while the other] only affects 4.6.10 and earlier.”, according to Security Week.
Source: SoftwareReviews. Accessed June 9, 2020
Both vulnerabilities have been addressed in Zoom’s 5.0 update, released in May 2020. Zoom has addressed the vulnerabilities on both the server and client; software on client workstations will need to be upgraded manually.
Upgrade your end-user workstations to the latest Zoom software! The patches released by Zoom address issues on the client software distributed and installed on user workstations. Therefore, IT departments are strongly encouraged to roll out the patch as soon as possible and ensure that all users comply with direction to upgrade their software.
Systems administrators can either distribute the update via your organization’s software distribution tools or have end users execute the upgrade on their own. As a standard practice, we recommend conducing a risk assessment of all software patches to identify urgency and to schedule their installation or deployment accordingly.
Stay tuned to Info-Tech’s Tech Briefs; we will report on developments as they transpire.
Google has announced several updates to its G-Suite offering, which aims to heavily integrate and better secure its teamwork applications. The move represents a clear attempt by Google to directly compete with Microsoft’s office productivity suite, with several of the G-Suite updates mirroring the logical architecture of Office 365.
As of July 1, 2020, over 70,000 small business users receiving their Microsoft 365 services from Navisite will now receive them from Intermedia. The move means that Navisite’s users now have access to a range of Intermedia offerings, including Unite, Contact Center, and AnyMeeting.
Zoom recently announced Zoom for Home: an all-in-one hardware and software for home users designed to enable the work-from-home user with a single home appliance for web conferencing, phone calling, and interactive whiteboard collaboration.
Thinking about choosing a new software vendor but don't know where to start? Narrow down your shortlist by focusing on software that has received an Info-Tech Research Group award. New data from SoftwareReviews shows that organizations reported higher satisfaction when they switched to software that had received an Info-Tech award.
University researchers used artificial intelligence in an experiment to determine the extent of privacy risks that come with the use of this web conferencing tool. Publicly available data scraped from social networks was cross-referenced as part of this research.
As Zoom approaches the end of its 90 day moratorium on enhancements to focus on security, the company names Jason Lee, SalesForce’s former SVP of Security Operations, as its new CISO.
Moving townhall meetings online can present a range of virtual problems – not least, which web conferencing tool to use! This note explores how Microsoft Teams can be used by governmental bodies to remotely host their townhalls and other public engagements.
Upgrading one’s videoconferencing hardware is an important long-term investment that revolves around several decision points. This note offers a process for thinking about these decision points.
Zoom’s security consultant has announced that it will be providing strong encryption to paying customers and educational users of its web conferencing service. The move is being made in consultation with industry security consultants and privacy advocates.