Original Post from InfoSecurity Magazine
Zoom Patches Three New Bugs in Scramble to Support Remote Workers
Zoom has announced a freeze on new features as it grapples with emerging security and privacy issues, including three new security bugs revealed this week.
The video conferencing app has been catapulted into the mainstream after widespread COVID-19 government lockdowns across the globe force home working and schooling on a massive scale. The number of daily meeting participants has grown from 10 million in December to roughly 200 million in March, according to the firm.
However, this has led to increased scrutiny of the platform: researchers this week published details of a new vulnerability in the Zoom Windows client which could be exploited to steal user passwords, and two flaws in the macOS app which could be abused to remotely install malware or eavesdrop on users.
These follow discoveries of serious vulnerabilities in the product last year.
Although Zoom CEO Eric Yuan revealed in a post on Thursday that the firm had promptly patched all three bugs disclosed this week, concerns persist about the platform’s approach to security and privacy.
Organizations as diverse as the UK’s Ministry of Defence, SpaceX and NASA have banned employees from using the tool, and there has been widespread criticism after the firm appeared to mislead users into thinking their video meetings were end-to-end encrypted, when in fact they aren’t.
Yuan apologized for that, and clarified several steps that the firm is taking to improve privacy, including removing the Facebook SDK in its iOS client, after reports emerged that it was sending user data to the social network, even for non-Facebook users.
It has also permanently removed an “attention tracker” feature which critics claimed could allow employers to spy on their staff.
Zoom has also been trying to educate users into following best practices like not sharing meeting IDs online, and using protective features on the platform which could prevent “Zoombombing” — incidents where uninvited guests join and disrupt meetings.
Going forward, the firm will enact a “feature freeze” in order to devote all engineering resources to security and privacy issues. It will also carry out a comprehensive review with third-party experts to improve security in consumer use cases, and engage with security leaders via a new CISO council.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” Yuan argued.
“These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies.”
Go to Source