Security News

US-based Zoom users may have a little cash coming their way after the video meeting outfit lodged a preliminary settlement in a class action related to some of its less-than-brilliant security and data protection practices. The settlement was filed Saturday in an attempt to end a class action that alleged Zoom indulged in unlawful activities - including misrepresenting its end-to-end encryption capabilities and unauthorized transfer of personal data to third parties like Facebook, Google and LinkedIn - as well as implementing grossly inadequate security and privacy controls.

First comes spear-phishing, next download of malicious DLLs that spread to removable USBs, dropping Cobalt Strike Beacon, and then, sometimes, a fake Zoom app. Luminous Moth was first going after important organizations in Myanmar, where researchers came across about 100 victims.

VMware announced its work with Zoom to enable a better and more secure collaboration experience for hybrid work environments. VMware Anywhere Workspace is available today and brings together the benefits of three innovative solutions - VMware Workspace ONE, VMware Carbon Black Cloud and VMware SASE. Through relationships with Zoom, VMware is delivering interoperable solutions with VMware Anywhere Workspace to better support a hybrid workforce.

Non-profit research and development organization MITRE on Friday announced that video conferencing giant Zoom has been named a CVE Numbering Authority. Zoom can now assign CVE identifiers to vulnerabilities found in Zoom and Keybase products - Zoom acquired Keybase in 2020 - but it cannot assign CVEs to security holes found in third-party products.

While apps like Zoom, Slack, Teams and others are great for working from anywhere, they also create a larger attack surface.

The 2021 spring edition of Pwn2Own hacking contest concluded last week on April 8 with a three-way tie between Team Devcore, OV, and Computest researchers Daan Keuper and Thijs Alkemade. A zero-click exploit targeting Zoom that employed a three-bug chain to exploit the messenger app and gain code execution on the target system.

The annual Pwn2Own contest features live hacking where top cybersecurity researchers duke it out under time pressure for huge cash prizes. Pwn2Own is a bug bounty program with a twist.

Contestants hacked Microsoft's Windows 10 OS twice during the second day of the Pwn2Own 2021 competition, together with the Google Chrome web browser and the Zoom video communication platform. The first to demo a successful Windows 10 exploit on Wednesday and earn $40,000 was Palo Alto Networks' Tao Yan who used a Race Condition bug to escalate to SYSTEM privileges from a normal user on a fully patched Windows 10 machine.

Two researchers earned $200,000 on the second day of the Pwn2Own 2021 hacking competition for a Zoom exploit allowing remote code execution without user interaction. Also on the second day of Pwn2Own 2021, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for an exploit that works both on the Chrome and Microsoft Edge web browsers.

A newly discovered glitch in Zoom's screen sharing feature can accidentally leak sensitive information to other attendees in a call, according to the latest findings. It's worth pointing out that the screen sharing functionality in Zoom lets users share an entire desktop or phone screen, or limit sharing to one or more specific applications, or a portion of a screen.