Security News

An exploration of zero-click attack surface for the popular video conferencing solution Zoom has yielded two previously undisclosed security vulnerabilities that could be exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory. Natalie Silvanovich of Google Project Zero, who discovered and reported the two flaws last year, said the issues impact both Zoom clients and Multimedia Router servers, which transmit audio and video content between clients in on-premise deployments.

Amazon AWS is experiencing an outage that has impacted numerous online services, including Twitch, Zoom, PSN, Xbox Live, Doordash, Quickbooks Online, and Hulu. AWS engineers are working on addressing the root cause behind this outage and said they have already taken steps to restore connectivity.

One good way to prevent unwelcome participants or late arrivals from joining your Zoom meetings is to lock those meetings. Before you schedule or start your Zoom meeting, alert all potential participants that the meeting will be locked at a certain point, such as 10 minutes after it has started.

Zoom has announced today the launch of an automatic update feature designed to streamline the update process for desktop clients. "For most individual users, automatic updates will be enabled by default. When enabled, users will have the opportunity to opt-out of automatic updates for their desktop client after the first install or first update where this feature is present," said Jeromie Clark, Security & Privacy Technical Product Manager at Zoom.

Zoom has patched vulnerabilities in its range of local solutions for conferences, negotiations and recordings - Zoom Meeting Connector Controller, Zoom Virtual Room Connector, Zoom Recording Connector and others. As a result of exploiting this vulnerability, intruders could compromise the software's functionality, creating a situation when holding Zoom conferences would have been impossible.

US-sanctioned Positive Technologies has pointed out three vulnerabilities in Zoom that can be exploited to crash or hijack on-prem instances of the videoconferencing system. One of the trio of bugs is an input validation flaw, which can be abused by a malicious Zoom portal administrator to inject and execute arbitrary commands on the machine hosting the software.

Zoom's ties to China are at the center of a US government investigation into the video-conferencing giant's $15bn plan to take over Five9, a California call-center-in-the-cloud. The FCC was reviewing an application [PDF] by Zoom and Five9 as part of the takeover bid until the regulator was asked by Justice Department official David Plotinsky to hold off until the committee had finished scrutinizing the overall deal.

Zoom just lost an $85 million class-action lawsuit this week for its cybersecurity missteps, proving that even the most essential and relied-upon brands can be tripped up by inadequate security. "This large Zoom settlement should be a wake-up call to not only all software and service providers, but also for the enterprises that use them," Emil Sayegh, president and CEO of Ntirety explained to Threatpost.

The facts aren't news, but Zoom will pay $85M - to the class-action attorneys, and to users - for lying to users about end-to-end encryption, and for giving user data to Facebook and Google without consent. The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California.

Zoom, the videoconferencing firm, has agreed to settle a class-action US privacy lawsuit for $85 million, it said Sunday. The suit charged that Zoom's sharing of users' personal data with Facebook, Google and LinkedIn was a breach of privacy for millions.