Comprehensive software reviews to make better IT decisions
Two New Zoom Vulnerabilities Uncovered – Upgrade Now!
Two new vulnerabilities in Zoom’s web conferencing software were discovered in early June 2020. These vulnerabilities could allow malicious actors the ability to execute arbitrary code on target hosts and exploit path traversal vulnerabilities in the software. Zoom’s latest update addresses and remediates the vulnerabilities.
Path Traversal attacks enable access to files and directories outside of a web root folder, which would allow a malicious actor to access files stored on a system that were not meant to be publicly available to the web application.
The vulnerabilities were uncovered by Cisco Talos and are listed under Common Vulnerabilities and Exposures (CVE) ID numbers CVE-2020-6109 and CVE-2020-6110. CVE-2020-6109 affects GIPHY, the messaging and animated GIF application. CVE-2020-6110 exploits a chat code snippet in Zoom.
The vulnerabilities are found in version 4.6 of Zoom, one of which “impacts Zoom 4.6.10, 4.6.11 and likely earlier versions, [while the other] only affects 4.6.10 and earlier.”, according to Security Week.
Source: SoftwareReviews. Accessed June 9, 2020
Both vulnerabilities have been addressed in Zoom’s 5.0 update, released in May 2020. Zoom has addressed the vulnerabilities on both the server and client; software on client workstations will need to be upgraded manually.
Upgrade your end-user workstations to the latest Zoom software! The patches released by Zoom address issues on the client software distributed and installed on user workstations. Therefore, IT departments are strongly encouraged to roll out the patch as soon as possible and ensure that all users comply with direction to upgrade their software.
Systems administrators can either distribute the update via your organization’s software distribution tools or have end users execute the upgrade on their own. As a standard practice, we recommend conducing a risk assessment of all software patches to identify urgency and to schedule their installation or deployment accordingly.
Stay tuned to Info-Tech’s Tech Briefs; we will report on developments as they transpire.
In June 2023, I decided to remove the password on my primary email account as well as the one used to log-in to all of my devices. Did I wait too long? Am I too optimistic this will work without issue? Are there kinks that still need to be worked out? I recently attended Identiverse 2023 and got a FIDO2 hardware token intending at some point in the future to go passwordless. Why wait though? I was pumped up with all the passkey and passwordless sessions I attended and was eager to try this out and share my experience.
If you’re in the market for a password manager or are interested in secrets management, Bitwarden has a powerful platform for you. This unified platform is delivered via a thoughtful and intuitive UI, which Bitwarden Password Manager users will recognize. Bitwarden ranks as top of the Leader Quadrant in SoftwareReviews under the Password Management category, and the company believes its optimized, wide-range passwordless solution set will address most organizations’ needs.
Next-generation firewalls were smarter than previous firewalls, able to deeply analyze traffic and integrate with complementary security solutions. Today our needs are more complex, however, with a 742% increase in software supply chain attacks over the past three years. Sonatype Nexus Firewall has been paying attention and claims its firewall product is smarter about these attacks.
Have you ever thought of what else you could do to take your security operations center (SOC) to the next level and focus on prevention? Look no further – external attack surface management (EASM) was a popular managed service and topic of discussion at Rivest–Shamir–Adleman (RSA) Conference 2023, named after a popular public-key cryptosystem.
Hillstone Networks has positioned itself as a robust and feature-rich provider of not only hardware but also security solutions. With its ZTNA 3.0 release and support for centralized management of IoT assets and incident response, the company embodies a next-generation firewall.
Acronis Offers a Unique Endpoint Protection and Data Recovery Package Tailored for the Small to Medium-Sized Business
Acronis hopes to overtake many competitors in the data recovery and endpoint protection solution space by forging partnerships with many MSSPs and appealing to the SMB market. The company has doubled down by hiring the former CEO of GoDaddy, who is committed to reinvesting in its technology and increasing and improving its product line.
Zoho, a multinational software and web-based business tool provider, has announced the launch of Trident – a hub that brings Zoho’s pre-existing and new unified communications capabilities into a single pane of glass. How will Trident’s addition to Workplace impact customer migrations from Microsoft and Google.
Field Effect Covalence is an EDR/MDR/XDR offering that translates chaos into order.
To revitalize and strengthen business transformation, Avaya has outlined a five-step plan for restructuring its product lines, go-to-market strategy, and balance sheet. This tech note evaluates these five steps, highlighting the main contingencies for each step’s successful rollout.