With progress, it is no longer necessary to be physically present to accomplish certain tasks thanks to the emergence of online meeting and teleworking platforms. This is how the Zoom software was born. Recently, an expert pinpointed two major security holes in the system that could be used by hackers. In addition, the MMR servers used by said platform also encounter some problems.
In reality, both bugs encountered relate to the buffer overflow vulnerability and a process memory exposure flaw. These two flaws could be used by malicious people to do crash the platform or get an overview of arbitrary areas of the product’s memory.
The discovery of these major Zoom vulnerabilities is attributed to Natalie Silvanovich , an expert in computer security from Google Project Zero . The latter is also involved in a multitude of other Google projects.
Two potential doors entry point for hackers
Indeed, the failures noted on Zoom would have paved the way for no-click hacking, a sneak attack that leaves no traces. In addition, the flaws identified are CVE-2022-20850 (CVSS score: 9.8) and CVE-1920-34423 (CVSS score: 7.5). The first defect concerns the buffer memory. An overload of the latter could lead to the execution of malicious and arbitrary code.
The second bug to him is located at the level of the memory of the process. By using it, hackers could gain insight into arbitrary areas of the product’s memory. Furthermore, an analysis of the RTP (Real-time Transport Protocol) revealed that it was possible to manipulate data that may mislead Zoom clients and MMR (Multimedia Router) servers.
A failure also affecting multimedia servers By pushing her research, Natalie Silvanovich also unearthed some problems related to multimedia servers. These errors would be due to the lack of ASLR ( address space layout randomization). Natalie says to this effect: “The lack of ASLR in the Zoom MMR process has considerably increased the risk that an attacker could compromise it. ”
This also denounced the fact that Zoom uses proprietary libraries while all other videoconferencing platforms use open-source. This act has the direct consequence of increasing the costs of license.
Finally, the expert in computer security completed his saying: “Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to researchers safe and to others who wish to evaluate it. »
Writing constitutes the one of the activities that allow me to channel my passion, besides philosophy, sports and chess. In everything I do, I strive for perfection, knowing that no one can catch up. “We are what we do repeatedly. Excellence, therefore, is not an act. It’s a habit. – Aristotle