Zoom vulnerabilities impact clients, MMR servers

Two vulnerabilities recently disclosed to Zoom could have led to remote exploitation in clients and MMR servers, researchers say. 

On Tuesday, Project Zero researcher Natalie Silvanovich published an analysis of the security flaws, the results of an investigation inspired by a zero-click attack against the videoconferencing tool demonstrated at Pwn2Own

“In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user,” the researcher explained. “That said, it’s likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios.”

Silvanovich found two different bugs, a buffer overflow issue that impacted both Zoom clients and Zoom Multimedia Routers (MMRs), and the other was an information leak security flaw central to MMR servers. 

A lack of Address Space Layout Randomization (ASLR), a security mechanism to protect against memory corruption attacks, was also noted.

“ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective,” Silvanovich noted. “There is no good reason for

Read More: https://www.zdnet.com/article/zoom-vulnerabilities-impact-clients-mmr-servers/#ftag=RSSbaffb68