image
Researchers are warning of a new breed of Android malware, dubbed “Agent Smith,” that they claim has infected 25 million handsets in order to replace legitimate apps with doppelgangers that display rogue ads. The malware is tied to a China-based firm, according to Check Point researchers, and is targeting users in India, Pakistan and other parts of Asia. According to research released Wednesday, the malware targets phones that have not been patched for a host of old vulnerabilities such as Janus, an Android flaw that dates back to 2017. Victims are enticed to download dropper program camouflaged as either an image editor, porn-related app or game from a third-party app store. The dropper program then downloads the Agent Smith payload. For those victims with unpatched phones who download apps from third-party app stores, things go from bad to worse. “The core malware is usually disguised as Google Updater, Google Update for U or ‘com.google.vending’. The core malware’s icon is hidden.” The malware inspects the apps on the targeted phone, and then fetches updates to “patch” recognized APKs with malicious ad modules. To do this, the attackers rely on the Janus vulnerability (fixed by Google in December 2017), which allows the threat actors to bypass Android’s APK integrity checks and replace any application on its “prey list” with an infected version. Check Point estimates that each victim could have as many as 112 apps replaced on their handsets with ones that display the rogue ads. “Upon kill-chain completion, Agent Smith will then hijack compromised user apps to show ads,” they wrote. “In certain situations, variants intercept compromised apps’ original legitimate ads display events and report back to the intended ad-exchange with the Agent Smith campaign hacker’s ad IDs.” Check Point said that the Agent Smith dropper proliferates via third-party app store called 9App, patronized primarily by Indian (Hindi), Arabic and Indonesian users. Researchers believe the threat actors behind the malware is a China-based organization located in Guangzhou, a large city located northwest of Hong Kong, based on analysis of the Agent Smith command-and-control servers. “We connected the Agent Smith campaign to a Chinese internet company located in Guangzhou whose front end legitimate business is to help Chinese Android developers publish and promote their apps on overseas platforms,” researchers wrote. The added, “We started with most frequently used C&C domains ‘ad.com’, ‘ad.net’, and ‘ad.org’. Among multiple sub-domains, ‘ad.ad.org’ and ‘gd.a***d.org’ both historically resolved to the same suspicious IP address.” Google’s most recent version of its Android OS is Pie, version 9.0. Check Point reported that Agent Smith is most prevalent in phones running Android version 5.0 (40 percent) and version 6.0 (34 percent), with 9 percent of infected phones running version 8.0. “The Agent Smith campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android ecosystem,” researchers wrote. “It requires attention and action from system developers, device manufacturers, app developers and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.”

Source

image
By Waqas Another day, another data breach; this time, a security researcher has discovered a massive trove of data hosted on an unprotected MongoDB database available for anyone to access without any authentication. Discovered by Comparitech’s researcher Bob Diachenko on June 18, 2019; the database contained personal sensitive information of over 188 million people. According to Diachenko’s […] This is a post from HackRead.com Read the original post: Unprotected MongoDB leaks 188m users’ data from sensitive search engine

Source

image
Intel has patched a high-severity vulnerability in its processor diagnostic tool, which could allow local attackers to launch several malicious attacks on affected devices, such as escalation of privilege or denial of service. The Intel Processor Diagnostic tool is a free product that allows users to test and diagnose any issues in their processor before having to contact tech support. Intel on Tuesday released the patch in tandem with a fix for a medium-severity security vulnerability in its S4500/S4600 lineup of Solid State Drives (SSD) for data centers. “Intel has released security updates to address vulnerabilities in Intel Solid State Drives for Data Centers and Intel Processor Diagnostic Tool,” according to a Cybersecurity and Infrastructure Security Agency (CISA) alert. “An attacker could exploit these vulnerabilities to gain an escalation of privileges on a previously infected machine.” The vulnerability in the Intel Processor Diagnostics tool (CVE-2019-11133) ranks 8.2 out of 10 on the CVSS 3.0 scale, making it high-severity. While details of the vulnerability are slim, Intel said that the flaw stems from improper access control in the tool. This vulnerability “may allow an authenticated user to potentially enable escalation of privilege, information disclosure or denial of service via local access,” said Intel in its’ advisory. Impacted are 32-bit and 64-bit models of the diagnostic tool, before version 4.1.2.24. Users can find the patch here. Researcher Jesse Michael from Eclypsium was credited with reporting the issue. Intel on Tuesday also patched a separate vulnerability (CVE-2018-18095), found internally by Intel, impacts Intel SSD DC S4500 and S4600 series firmware before SCV10150. The flaw stems from a lack of authentication in the firmware for the solid state drives, and may allow an unprivileged user to potentially enable escalation of privilege via physical access. Intel said it recommends updating the S4500 and S4600 series firmware to SCV10150 or later. It’s only Intel’s latest round of patches for vulnerabilities in its products. A few weeks ago, the chip giant patched seven high-severity vulnerabilities in the system firmware of its Intel NUC (short for Next Unit of Computing), a mini-PC kit used for gaming, digital signage and more. In May, Intel fixed high-severity flaw CVE-2019-11094, which could also enable enable escalation of privilege, denial of service and/or information disclosure via local access. Don’t miss our free live Threatpost webinar, “*Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. *Register and Learn More

Source

image
Microsoft today released software updates to plug almost 80 security holes in its Windows operating systems and related software. Among them are fixes for two zero-day flaws that are actively being exploited in the wild, and patches to quash four other bugs that were publicly detailed prior to today, potentially giving attackers a head start in working out how to use them for nefarious purposes. Zero-days and publicly disclosed flaws aside for the moment, probably the single most severe vulnerability addressed in this month’s patch batch (at least for enterprises) once again resides in the component of Windows responsible for automatically assigning Internet addresses to host computers — a function called the “Windows DHCP client.” The DHCP weakness (CVE-2019-0785) exists in most supported versions of Windows server, from Windows Server 2012 through Server 2019. Microsoft said an unauthenticated attacker could use the DHCP flaw to seize total, remote control over vulnerable systems simply by sending a specially crafted data packet to a Windows computer. For those keeping count, this is the fifth time this year that Redmond has addressed such a critical flaw in the Windows DHCP client. All told, only 15 of the 77 flaws fixed today earned Microsoft’s most dire “critical” rating, a label assigned to flaws that malware or miscreants could exploit to commandeer computers with little or no help from users. It should be noted that 11 of the 15 critical flaws are present in or are a key component of the browsers built into Windows — namely, Edge and Internet Exploder Explorer. One of the zero-day flaws — CVE-2019-1132 — affects Windows 7 and Server 2008 systems. The other — CVE-2019-0880 — is present in Windows 8.1, Server 2012 and later operating systems. Both would allow an attacker to take complete control over an affected system, although each is what’s known as an “elevation of privilege” vulnerability, meaning an attacker would already need to have some level of access to the targeted system. CVE-2019-0865 is a denial-of-service bug in a Microsoft open-source cryptographic library that could be used to tie up system resources on an affected Windows 8 computer. It was publicly disclosed a month ago by Google’s Project Zero bug-hunting operation after Microsoft reportedly failed to address it within Project Zero’s stated 90-day disclosure deadline. The other flaw publicly detailed prior to today is CVE-2019-0887, which is a remote code execution flaw in the Remote Desktop Services (RDP) component of Windows. However, this bug also would require an attacker to already have compromised a target system. Mercifully, there do not appear to be any security updates for Adobe Flash Player this month. Standard disclaimer: Patching is important, but it usually doesn’t hurt to wait a few days before Microsoft irons out any wrinkles in the fixes, which sometimes introduce stability or usability issues with Windows after updating (KrebsOnSecurity will endeavor to update this post in the event that any big issues with these patches emerge). As such, it’s a good idea to get in the habit of backing up your system — or at the very least your data — before applying any updates. The thing is, newer versions of Windows (e.g. Windows 10+) by default will go ahead and decide for you when that should be done (often this is in the middle of the night). But that setting can be changed. If you experience any problems installing any of the patches this month, please feel free to leave a comment about it below; there’s a better-than-even chance that other readers have experienced the same and may even chime in with some helpful advice and tips. Further reading: Qualys Patch Tuesday Blog Rapid7 Tenable [full disclosure: Tenable is an advertiser on this blog].

Source

image
By Waqas An estimated 2 million cyberattacks took place in 2018 costing more than $45 billion in damages worldwide. The worse part is that while cyberattacks are surging authorities are struggling to tackle the growing threat, said study released on Tuesday. Ransomware attacks According to the Internet Society’s Online Trust Alliance (OTA), which compiles data from the […] This is a post from HackRead.com Read the original post: Cyber ​​attacks cost $45 billion in 2018 with Ransomware at top

Source

image
Microsoft has addressed 77 vulnerabilities in its July Patch Tuesday update, with 15 of them rated as critical and two known to be under active exploit; and Adobe issued a small group of updates, with surprisingly none for Acrobat Reader or Flash. Eleven of the critical bugs are for scripting engines and browsers, and the four others affect the DHCP Server, GDI+, the .NET Framework and the Azure DevOps Server/Team Foundation Server. “Scripting engine, browser, GDI+, and .NET Framework patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser,” according to Patch Tuesday commentary from Qualys. “This includes multi-user servers that are used as remote desktops for users.” The Microsoft ChakraCore Scripting Engine, Internet Explorer 11 and Microsoft Edge all have a memory corruption vulnerability in their scripting engine (CVE-2019-1001) that could lead to RCE. “The vulnerability exists in the way that the memory handles objects in memory and successful exploitation could allow an attacker to execute arbitrary code,” said Allan Liska, intelligence analyst at Recorded Future, via email. “At this point it is almost expected to find a monthly memory corruption vulnerability in the scripting engine Microsoft browsers, as it is still a prime target for attackers who weaponize these vulnerabilities quickly.” On the server side, the DHCP Server bug (CVE-2019-0785) is a remote code-execution (RCE) flaw that exists when the server is configured for failover; an attacker with network access to the failover DHCP server could run arbitrary code. It affects all versions of Windows Server from 2012 to 2019. A very similar vulnerability, CVE-2019-0725, was patched in May. “One of the most critical vulnerabilities this month is present in Microsoft DHCP Server,” said Liska. “This memory corruption vulnerability…allows an attacker to send a specially crafted packet to a DHCP server and, if successful in exploitation, execute arbitrary code.” And finally, Azure DevOps Server/Team Foundation Server Azure DevOps Server and Team Foundations Server (TFS) are affected by an RCE vulnerability (CVE-2019-1072) that can be exploited through malicious file uploads. “Anyone who can upload a file can run code in the context of the Azure DevOps/TFS account,” according to Qualys. “This includes anonymous users if the server is configured to allow it. This patch should be prioritized for any Azure DevOps or TFS installations.” Liska meanwhile noted that successful exploits of this vulnerability require the targeted project to allow anonymous file submissions. “If an attacker submitted a specially crafted file to the target project as an anonymous user, they would be able to execute arbitrary code on the target server,” he said. “Azure has not been a big target for exploitation in the past, but this is a vulnerability that should be quickly patched due to the ease with which this vulnerability could be exploited at scale.” Actively Exploited Privilege-Escalation Bugs The software giant also released important-level patches for two privilege-escalation vulnerabilities in Win32k and splwow64, which are being actively exploited in the wild. Qualys said that the patches, though labeled as important, should be prioritized since they could be chained with other vulnerabilities to provide an attacker with complete system access. In other words, once they have elevated their privilege level, attackers could exploit another vulnerability to allow them to execute code. The Win32 flaw (CVE-2019-1132) affects Windows 7, Server 2008 and Server 2008 R2. “While an attacker would have to gain log on access to the system to execute the exploit, the vulnerability if exploited would allow the attacker to take full control of the system,” said Chris Goettl, director of product management for security at Ivanti, via email. Meanwhile, the bug in splwow64 (CVE-2019-0880), which is the print driver host for 32-bit applications, would allow an attacker to go from low to medium-integrity privileges. If the patch can’t be deployed immediately, the vulnerability can be mitigated by disabling the print spooler. It affects Windows 8.1, Server 2012 and later OS. Outlook, Linux SACK and Advisories Worth Noting Microsoft also issued two notable advisories, one for Outlook on the web and the other for the known Linux kernel vulnerabilities that were disclosed in June – along with a few other patches that administrators should prioritize, according to researchers. A cross-site scripting vulnerability in Outlook on the web (formerly OWA) would allow an attacker to send a malicious SVG file to a target in order to exploit it. However, success requires the targeted user to open the image file directly by dragging it to a new tab or pasting the URL into a new tab. “While this is an unlikely attack scenario, Microsoft recommends blocking SVG images,” according to Qualys. Several denial-of-service (DoS) vulnerabilities meanwhile were reported in June for the Linux kernel (CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479). Three related flaws were found in the Linux kernel’s handling of TCP networking; the first two are related to TCP Selective Acknowledgement (SACK) packets combined with the Maximum Segment Size parameter, and the third solely with the Maximum Segment Size parameter. The most severe vulnerability (CVE-2019-11477, dubbed SACK Panic) impacts Linux kernels 2.6.29 versions and above. It could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system’s availability. Microsoft’s advisory details the impact of the kernel bugs on its systems. Also of note is a patch for an SQL Server RCE flaw (CVE-2019-1068). This vulnerability is ranked as important, and does require authentication – however, it could also be chained with SQL injection to allow an attacker to completely compromise the server, according to Qualys, so should be prioritized. And, one of the other patches that researchers said is worth highlighting is CVE-2019-0887, a medium-level vulnerability against Remote Desktop Services (RDS) that was disclosed by Check Point last month. The bug exists in how RDS handles clipboard redirection, according to Liska. It requires an attacker to have access to an RDS server; when a victim connects to that server, an attacker can exploit the vulnerability to execute arbitrary code on the victim system. The bug affects all versions of Windows from Windows 7 to 10, and Windows Server 2008 to 2019. Adobe July Patch Tuesday Updates Adobe meanwhile issued patches for Bridge CC, Experience Manager and Dreamweaver. Experience Manager is patched for three vulnerabilities, while Bridge and Dreamweaver each have one. None are labeled as critical, and the highest rated vulnerability for each software package is labeled as important. “Adobe released three patches for July, but surprisingly, none are for Adobe Flash or Acrobat Reader,” said Dustin Childs, researcher with Trend Micro’s Zero-Day Initiative (ZDI), in a blog. “Instead, a total of five CVEs are addressed by fixes for Adobe Bridge, Experience Manager, and Dreamweaver. The CVE corrected by the Bridge patch fixes an information disclosure bug and was reported through the ZDI program. The Experience Manager patch is the largest this month, with three CVEs referenced. All are input validation bugs. The patch for Dreamweaver corrects a single DLL-loading issue. None of these bugs are listed as being publicly known or under active attack at the time of release.” Don’t miss our free live Threatpost webinar, “*Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. *Register and Learn More

Source

image
By Waqas The vulnerability in the Zoom video conference app lets attackers hijack Mac’s camera by merely using malicious websites. The Zoom video conference app is currently being used by millions of users around the world and that makes it a lucrative target for cybercriminals. Jonathan Leitschuh, an IT security researcher has discovered a critical zero-day vulnerability […] This is a post from HackRead.com Read the original post: Vulnerability in Zoom video conference app lets Mac’s camera hijacking

Source

image
Over 1,300 popular Android apps defy user permissions and gather sensitive data with no consent, according to a study by a coalition of academics from the International Computer Science Institute. The report examined popular mobile apps available through the U.S. version of the Google Play store, including apps published by Disney, Samsung and niche app-makers such as the popular photo app Shutterfly. What researchers found was that many of the apps extracted sensitive user information – including current geolocation data, historical geolocation data and MAC addresses – without consent. In one example of how the circumvention takes place, researchers cited Shutterfly. Despite a user not giving the app permission to access private user information, Shutterfly collects GPS data using exchangeable image file format (EXIF) metadata from user images, researchers said. “We observed that the Shutterfy app sends precise geolocation data to its own server without holding a location permission,” researchers wrote. Shutterfly gleans precise phone location data from the EXIF data generated by each image, which embeds the GPS coordinates in each image taken. “The app actually processed the image file: it parsed the EXIF metadata—including location—into a JSON object with labeled latitude and longitude fields and transmitted it their servers.” What Shutterstock has in common with the other apps singled out by researchers is that they all use the same software developer kit (SDK) made by the China-based Baidu, with help from an analytics firm called Salmonads. Researchers explain the SDK is used by all 1,300 apps it analyzed, so each share the same underlying framework. Where things become problematic is when, for example, the framework is shared between two apps. One app restricts access to location data and the other is allowed to share it. Researchers say the SDK sometimes sidesteps restrictive permissions of one app and adopts the rules of the other app that shares user data. In this way, an app doesn’t have to get Android device-level permission to access geolocation data. The app can take advantage of the shared SDK framework and collect geolocation data from another app that does have location permissions, instead. “Our work shows a number of side and covert channels that are being used by apps to circumvent the Android permissions system,” the researchers wrote. “The number of potential users impacted by these findings is in the hundreds of millions.” Researchers said this practice defies users’ reasonable expectations of privacy and that the behaviors may constitute violations of various laws. That said, researchers do not believe Shutterfly had any malicious intent; an assertion shared by the company in a statement. “Like many photo services, Shutterfly uses this data to enhance the user experience with features such as categorization and personalized product suggestions, all in accordance with Shutterfly’s privacy policy as well as the Android developer agreement,” the company stated. A Shutterfly spokesperson added in a statement that its app only collects personal information with a user’s explicit permission. However, researchers note the side effect of this type of inadvertent data collection might not always be innocent. Researchers describe two ways data can be share without consent. One is via a “side channel” where data is inadvertently do to a flaw in design that accidentally leaks data. The second is “covert channels”. “A covert channel is a more deliberate and intentional effort between two cooperating entities so that one with access to some data provides it to the other entity without access to the data in violation of the security mechanism,” researchers wrote. The study was released Monday (PDF) by the Federal Trade Commission as a follow-on to its PrivacyCon 2019 confab last month. The study examined 88,113 popular apps from the U.S. Google Play store, and found that 1,300 of the apps and third-party libraries that employ side channels or “covert channels” to circumvent Android’s security measures. In all cases, apps could access the location data and MAC address of users’ devices. Researchers contacted Google and the FTC in September after its’ final analysis. Google said its Android Q, expected to released later this year, will address this type of permission abuse.

Source

image
The U.K.’s privacy watchdog is hitting Marriott International with a $123 million (£99 million) penalty stemming from its 2018 data breach of more than 383 million guest records. The Tuesday fine is issued by the Information Commissioner’s Office (ICO) and comes only a day after the organization proposed a record $230 million fine against British Airways for its own 2018 data breach. Experts say the dual penalties signal that organizations are increasingly cracking down on company data security incidents under the umbrella of the General Data Protection Regulation (GDPR). The ICO said its investigation found that Marriott failed to undertake sufficient due diligence when it bought the Starwood properties, and should also have done more to secure its systems: “The GDPR makes it clear that organizations must be accountable for the personal data they hold,” Information Commissioner Elizabeth Denham said in a statement. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” In November 2018, Marriott said that a massive data breach of its guest reservation system left up to 500 million guests’ data exposed and available for the taking, a number that was later corrected to 383 million records. The hackers gained unauthorized access to Starwoods’ network back in 2014, before Marriott acquired Starwoods in 2015. Marriott said it discovered the breach on Sept. 8, 2018. Tim Mackey, principal security strategist at Synopsys’ Cybersecurity Research (CenterCyRC), told Threatpost that in the case of Marriott, “it comes as a result of a merger and acquisition scenario.” He noted, “So whenever an acquirer is looking at a potential potential acquisition target, one of the things they’re trying to assess is what the latent risks are to the business… in all likelihood, the Marriott team didn’t necessarily look at what the potential for a latent undisclosed data breach might be. And so now, there’s an actual real cost associated with not having a clear picture on the IT operations of an acquisition target.” Marriott said that hackers stole data like name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for 327 million of its guests. Marriott for its part hit back saying it would appeal the proposed penalty. “We are disappointed with this notice of intent from the ICO, which we will contest,” Arne Sorenson, Marriott International president and CEO, said in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.” The penalty comes a day after ICO proposed a $230 million fine on British Airways, after a 2018 data breach impacted 500,000 of the airline’s customers. That fine would be the largest levied by GDPR, surpassing previous penalties such as a fine against Google for $57 million; as well as other ICO penalties including fines for Facebook of $645,000 that stemmed from Cambridge Analytica’s data harvesting practices; and fines for Equifax of $645,000 for the company’s failure to protect 15 million U.K. citizens in a 2017 cyberattack. After GDPR restrictions were enforced (May 2018), the rules allow for maximum penalties of as much as 4 percent of a company’s global turnover. “Effectively we’ve just crossed the one-year anniversary [of GDPR], and since it’s not a case of individuals being able to bring suit against the companies that were breached, it has to go through the regulatory review process in whatever country the entity has its base of operations in,” Mackey said. “Yesterday was all about British Airways, today is about Marriott… Marriott is not an EU enterprise, it is a global enterprise, and as a result this hammers home the reality that GDPR applies to all organizations regardless of where they’re located… it’s based primarily off of where the breached parties are located, so in this case EU residents.” Don’t miss our free live Threatpost webinar, “*_Streamlining Patch Management*,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _Register and Learn More

Source

image
A zero-day vulnerability in the Zoom client for Mac allows a malicious website to hijack a user’s web camera without their permission. Up to 4 million workers that use the Zoom for Mac web-and videoconferencing service are at risk from a flaw in the collaboration client (CVE-2019–13450), according to researcher Jonathan Leitschuh (he noted that Mac users make up about 10 percent of Zoom’s customer base of 40+ million). An outside adversary would need only to convince a user to visit a malicious website with a specially crafted iFrame embedded, which would automatically launch a Mac user into a Zoom web conference while turning on their camera. Leitschuh said that web conferencing services that use Zoom as their core platform, like Ringcentral, are also likely impacted. The issue exists in the fact that the default setting for creating a new meeting is the “Participants: On” option. This automatically joins an invited person to the meeting, with webcam enabled, without the person having to give permission beyond clicking the meeting link itself. Leitschuh was able to take this functionality a step further to create a proof-of-concept exploit for drive-by information disclosure. By embedding a meeting link into the iFrame of a webpage, anyone visiting that webpage would be automatically joined to that meeting, from which an adversary could view their camera feed. “This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757), and when they open that link in their browser their Zoom client is magically opened on their local machine,” Leitschuh said in a Monday posting. He added, “All a website would need to do is embed [a meeting link] in their website and any Zoom user will be instantly connected with their video running. This could be embedded in malicious ads, or it could be used as a part of a phishing campaign.” In terms of who’s impacted, any Mac user that has ever used Zoom is at risk – thanks to a persistence feature in the service. “If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage,” explained Leitschuh. “This re-install ‘feature’ continues to work to this day.” He added, “The local client Zoom web server is running as a background process, so to exploit this, a user doesn’t even need to be ‘running’ (in the traditional sense) the Zoom app to be vulnerable.” For users who haven’t updated recently, the situation could get worse, too. If combined with a remote-code execution flaw recently found by Tenable (since patched), CVE-2019–13450 would allow any website on the internet to launch code on a user’s machine. “I advised Zoom that if they have any users that are still using Zoom 4.1.33259.0925 versions or lower, this would be a very potent attack,” the researcher said. And, there’s also a second flaw (CVE-2019–13449), fixed in client version 4.4.2, that would allow an attacker to cause denial-of-service on a Mac by repeatedly joining a user to an invalid call. Leitschuh disclosed the camera issue, which has a CVSSv3 severity score of 5.2 out of 10, to Zoom on March 26. While Zoom confirmed the vulnerability a couple of weeks later, the security team didn’t have a meeting with him on the bug until June 11. Zoom then implemented a quick fix that Leitschuh had suggested, but this only partially addresses the problem, he said. “I was very easily able to spot and describe bypasses in their planned fix,” he said. “Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner. An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack.” Zoom didn’t immediately respond to Threatpost when asked for comment, but in a statement on its website, it downplayed the severity of the problem: “Of note, because the Zoom client user interface runs in the foreground upon launch, it would be readily apparent to the user that they had unintentionally joined a meeting and they could change their video settings or leave immediately. Also of note, we have no indication that this has ever happened.” It also said that as part of its upcoming July 2019 release, Zoom will apply and save the user’s video preference from their first Zoom meeting to all future Zoom meetings. “Users and system administrators can still configure their client video settings to turn OFF video when joining a meeting,” it said. “This change will apply to all client platforms.” Bugs in conferencing platforms are not uncommon. In addition to Zoom’s issues, Cisco patched a critical vulnerability in the recording function of its WebEx conferencing platform late last year that could allow remote code execution. And Adobe last year worked to patch flaws in its conferencing software tool Adobe Connect. In this case, Zoom users on Mac can protect themselves by manually disabling the ability for Zoom to turn on the webcam when joining a meeting.

Source