Security News

Hot on the heels of Microsoft's report card from the Dutch department of Justice and Security comes news of rival messaging platform Zoom receiving a nod via a renewed Data Protection Impact Assessment. Zoom's end to end encryption on all chats and meetings received a thumbs-up, as did a commitment from Zoom to process all personal data exclusively in European data centres by the end of the year.

Apple Mac users running the Zoom meetings app are reporting that it's keeping their computer's microphone on when they aren't using it. Users began complaining about the issue after Monterrey was released late last year, and on December 27, Zoom Inc put out an update that was meant to address the bug, stating that version 5.9.1 "Resolved an issue regarding the microphone light indicator being triggered when not in a meeting."

A new SEO poisoning campaign is underway, dropping the Batloader and Atera Agent malware onto the systems of targeted professionals searching for productivity tool downloads, such as Zoom, TeamViewer, and Visual Studio. These campaigns rely on the compromise of legitimate websites to plant malicious files or URLs that redirect users to sites that host malware disguised as popular apps.

An exploration of zero-click attack surface for the popular video conferencing solution Zoom has yielded two previously undisclosed security vulnerabilities that could be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory. Natalie Silvanovich of Google Project Zero, who discovered and reported the two flaws last year, said the issues impact both Zoom clients and Multimedia Router servers, which transmit audio and video content between clients in on-premise deployments.

Amazon AWS is experiencing an outage that has impacted numerous online services, including Twitch, Zoom, PSN, Xbox Live, Doordash, Quickbooks Online, and Hulu. AWS engineers are working on addressing the root cause behind this outage and said they have already taken steps to restore connectivity.

One good way to prevent unwelcome participants or late arrivals from joining your Zoom meetings is to lock those meetings. Before you schedule or start your Zoom meeting, alert all potential participants that the meeting will be locked at a certain point, such as 10 minutes after it has started.

Zoom has announced today the launch of an automatic update feature designed to streamline the update process for desktop clients. "For most individual users, automatic updates will be enabled by default. When enabled, users will have the opportunity to opt-out of automatic updates for their desktop client after the first install or first update where this feature is present," said Jeromie Clark, Security & Privacy Technical Product Manager at Zoom.

Zoom has patched vulnerabilities in its range of local solutions for conferences, negotiations and recordings - Zoom Meeting Connector Controller, Zoom Virtual Room Connector, Zoom Recording Connector and others. As a result of exploiting this vulnerability, intruders could compromise the software's functionality, creating a situation when holding Zoom conferences would have been impossible.

US-sanctioned Positive Technologies has pointed out three vulnerabilities in Zoom that can be exploited to crash or hijack on-prem instances of the videoconferencing system. One of the trio of bugs is an input validation flaw, which can be abused by a malicious Zoom portal administrator to inject and execute arbitrary commands on the machine hosting the software.

Zoom's ties to China are at the center of a US government investigation into the video-conferencing giant's $15bn plan to take over Five9, a California call-center-in-the-cloud. The FCC was reviewing an application [PDF] by Zoom and Five9 as part of the takeover bid until the regulator was asked by Justice Department official David Plotinsky to hold off until the committee had finished scrutinizing the overall deal.