Comprehensive software reviews to make better IT decisions
Zoom Quickly Addresses Zero-Day Vulnerabilities, But Now Is Not the Time to Rest
Amid the surge in cloud-based videoconferencing usage during the COVD-19 pandemic quarantine period, videoconferencing service provider Zoom has moved quickly to address zero-day vulnerabilities reported in its client software. That said, there is still work for it to do.
A flaw in the Zoom installer introduced a “UNC path injection” vulnerability in Zoom’s client software. This vulnerability can potentially allow malicious actors to steal the Windows login credentials of their victims and execute arbitrary commands on vulnerable systems.
Another zero-day vulnerability addressed by the patch deals with how Zoom interacts with the camera and microphone on Apple Mac platforms. The exploit of this vulnerability allows a malicious actor to gain access to the user’s microphone and camera.
(Source: Zoom Rushes Patches for Zero-Day Vulnerabilities, April 2020)
Tom’s Guide reported nine flaws/defects in Zoom, many of which have been addressed as of this writing. While Zoom’s diligent moves to correct these issues are notable, Tom’s Guide’s reporting serves as a testament to the numerous security concerns that plague the suddenly popular videoconferencing service.
(Source: Zoom privacy and security issues: Here's everything that's wrong (so far), April 2020)
The patches released by Zoom address issues on the client software that is distributed and installed on user workstations. Therefore, IT departments are strongly encouraged to roll out the patches as soon as possible and ensure that all users immediately comply with the direction to upgrade their software.
With the immense increase in Zoom’s popularity during this pandemic quarantine period, it is commendable that Zoom is responding quickly to discovered vulnerabilities. That said, it is apparent that Zoom was unprepared for the sudden and massive increases in both the number of subscribers and usage volume. At this critical point in time, Zoom needs to first focus its attention in addressing vulnerabilities uncovered in its product, then sustain its response roadmap to stay ahead of emerging weaknesses over time. The growth in popularity makes the service an attractive prospect for hackers – especially in the publicized and often sensitive ways that Zoom has been used (such as the recent UK government cabinet meeting.)
To this end, Zoom has wisely instituted a 90-day freeze on feature enhancement to prioritize its focus on addressing security issues with its product.
Stay tuned to Info-Tech Research Group’s Tech Briefs, as we will report on additional developments as they transpire.
Want to Know More?
The Office of the Attorney General of the State of New York has reached a settlement with Zoom Video Communications. The agreement promises enhanced data security and user controls.
Verizon has acquired BlueJeans for between $400–500 million. The move will see BlueJeans integrated into Verizon’s 5G plans, utilizing BlueJeans advanced and encrypted video-conferencing solutions for telehealth, e-learning, and field service work.
With an update that makes it easier for new and existing users to jump into a meeting, Cisco’s Webex is looking to address one of the few areas where it’s not rated at the very top of the pack.
If you’ve been working remotely during the pandemic, chances are you’re doing a lot of videoconferences with a poor-quality laptop webcam. If you own a Canon camera and use Windows 10, a new free utility can help you upgrade that A/V setup.
Zoom is living up to its namesake in its responsiveness in addressing security and privacy issues that users have identified. While the upcoming 5.0 update addresses many initial concerns, the product still does not offer end-to-end encryption.
The impact of COVID-19, as it became a global pandemic in Q1 of 2020, has affected user sentiment toward software during a growing period of fear, uncertainty, and doubt. To analyze the impact, SoftwareReviews compared Satisfaction (willingness to recommend to a peer), ability to deliver Business Value (fair cost to value), and Likeliness to Renew prior to March 10 and post March 10.
Security research firm Cyble has reported a discovery of over 500,000 Zoom accounts, including login and password information, being sold on the dark web and in hacker forums.
While the US stock market declines as rapid selloffs follow COVID-19’s global outbreak, Zoom Video shares have increased. This is because more people are choosing to work remotely to avoid contracting the disease, positioning videoconferencing as an essential part of business continuity plans against biohazards.
Zoom has offered a range of new services to help those affected by the COVID-19 outbreak.