Dutch researchers find critical vulnerabilities in Zoom


Dutch security researchers Daan Keuper and Thijs Alkemade have found three critical vulnerabilities in Zoom that make it possible to take over users' systems remotely. A security update to fix the problem is not yet available. The two researchers from IT company Computest demonstrated their attack on Zoom during the annual Pwn2Own competition. The researchers received $ 200,000 for their demonstration.

Pwn2Own is a three-day competition held annually in Vancouver. Due to the corona pandemic, it was decided to allow participants to participate remotely, just like last year. During Pwn2Own, security researchers will be rewarded for demonstrating unknown vulnerabilities in commonly used products, such as browsers, business applications, server software and virtualization software.

Due to the amount of working from home, it was decided to add video calling software as a new category during this year's edition. An audio call, video conference, or message that compromises Zoom or Microsoft Teams users remotely will earn you $ 200,000 .

During the second day of Pwn2Own, Keuper and Alkemade demonstrated their attack on Zoom's chat function. By combining three vulnerabilities, they managed to run code on the system without any interaction from the victim . Further details have not been disclosed. Information about the vulnerabilities is now shared with Zoom so that the company can develop a security update.

Zoom was of course already under fire last year because of the necessary vulnerabilities. This mainly concerned the security of the application itself, and the possible monitoring and listening with the video calls. Our discoveries continue, however. Due to vulnerabilities in the client. we were able to take over the entire system from users, "said Keuper.

Google Chrome, Microsoft Edge, Exchange and Parallels Desktop
The demonstration of the Dutch security researchers was not the only attack shown today. Researcher Jack Dates of RET2 Systems managed to take over the underlying operating system by means of three vulnerabilities in virtualization software Parallels Desktop. The demonstration was rewarded with $ 40,000.

Bruno Keith and Niklas Baumstark from Dataflow Security managed to develop an exploit for Google Chrome and Microsoft Edge. By means of a "type mismatch" bug, the researchers were able to execute code within both browsers. The attack, in which it is enough to just visit a rogue or compromised website, earned Keith and Baumstark a total of $ 100,000.

Subsequently, researchers from Team Viettel showed a successful attack against Microsoft Exchange. The researchers managed to take over a fully patched Exchange server remotely. Since some of the vulnerabilities used had already been demonstrated by another security company during the first day of Pwn2Own, Team Viettel's demonstration was labeled a 'partial win'.

The last day of Pwn2Own is scheduled for tomorrow, with attacks against Ubuntu Desktop, Windows 10, Parallels Desktop and Microsoft Exchange.

Previous Post Next Post