Critical Zoom vulnerability triggers remote code execution without user input | ZDNet

Critical Zoom vulnerability triggers remote code execution without user input
The researchers who discovered the bug have earned themselves $200,000.


Charlie Osborne
By Charlie Osborne for Zero Day | April 9, 2021 -- 10:15 GMT (11:15 BST) | Topic: Security

A zero-day vulnerability in Zoom which can be used to launch remote code execution (RCE) attacks has been disclosed by researchers.

SECURITY
Facebook data on 533 million users posted online
Cyber security 101: Protect your privacy from hackers, spies, and the government
The best antivirus software and apps
The best VPNs for business and home use
The best security keys for two-factor authentication
Why some governments are getting cyber crime gangs to do their hacking for them (ZDNet YouTube)
Pwn2Own, organized by the Zero Day Initiative, is a contest for white-hat cybersecurity professionals and teams to compete in the discovery of bugs in popular software and services.

The latest competition included 23 entries, competing in different categories including web browsers, virtualization software, servers, enterprise communication, and local escalation of privilege.

For successful entrants, the financial rewards can be high -- and in this case, Daan Keuper and Thijs Alkemade earned themselves $200,000 for their Zoom discovery.

The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction.

As Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit.

As noted by Malwarebytes, the attack works on both Windows and Mac versions of Zoom, but it has not -- yet -- been tested on iOS or Android. The browser version of the videoconferencing software is not impacted.

In a statement to Tom's Guide, Zoom thanked the Computest researchers and said the company was "working to mitigate this issue with respect to Zoom Chat." In-session Zoom Meetings and Zoom Video Webinars are not affected.

"The attack must also originate from an accepted external contact or be a part of the target's same organizational account," Zoom added. "As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust."

Vendors have a 90-day window, which is standard practice in vulnerability disclosure programs, to resolve the security issues found. End-users just need to wait for a patch to be issued -- but if worried, they can use the browser version in the meantime.

"This event, and the procedures and protocols that surround it, demonstrate very nicely how white-hat hackers work, and what responsible disclosure means," Malwarebytes says. "Keep the details to yourself until protection in the form of a patch is readily available for everyone involved (with the understanding that vendors will do their part and produce a patch quickly)."

Other successful attacks of note during the content include:

Apple Safari: Jack Dates, kernel-level code execution, $100,000
Microsoft Exchange: DEVCORE, complete server takeover, $200,000
Microsoft Teams: OV, code execution, $200,000
Ubuntu Desktop: Ryota Shiga, standard user to root, $30,000