If you have been following the news, you probably noticed that the Internet is abuzz about the latest vulnerability in Zoom. The attack was identified by Jonathan Leitschuh, a security researcher who has detailed the vulnerability and has provided a PoC to reproduce the attack in this blog post. I would highly recommend that everyone give it a read and take the necessary actions per your company policy.
Browsers have and will be one of the most important vectors for an attacker to launch an attack. Over the years the browser has transformed from being used just for Internet browsing to being a platform that is now capable of running applications and other advanced technologies. Attackers are continuously assessing platforms for vulnerabilities. In 2018 and early 2019, we saw IE and Chrome zero days being used by attackers in the wild, and now it’s Zoom’s turn.
What is the vulnerability and how does it get exploited?
The vulnerability is in how Zoom launches a meeting. The meeting is launched via the website interacting with a local web server, which then launches a desktop application. This bypasses all the sandbox functionality built into the browser.
When a user installs the Zoom application, it installs a local web server on the endpoint. The local web server has an API that accepts commands. An attacker can host a malicious website that can issue a GET request to the Zoom web server running on localhost. An attacker can then pass commands to:
- Add the user to an existing call to spy on their webcam.
- Add a malicious user to an existing call.
- Use the exposed web server, running on the local host, which may have additional vulnerabilities.
How does Menlo protect against this vulnerability?
When a user accesses a malicious website through isolation, all the resources loaded by the malicious website are loaded by the Menlo cloud browser, in disposable virtual containers that cannot communicate with localhost on the user’s machine. Malicious code never reaches the endpoint and malicious GET requests triggered by tags such as “img” are not issued by the client browser, preventing the malicious site from reaching the Zoom web server on the endpoint. The website may make requests in our secure containers to localhost, but it will not find any server running on that port, thereby preventing this attack.
Attackers go after popular platforms. Zoom is a very popular video conferencing application and it wouldn’t be surprising if the PoC that is published by the security researcher starts getting used by attackers for nefarious reasons. While Menlo Security’s isolation product protects against this attack, we recommend that security admins update their Zoom apps immediately.