Image

“[The Windows zero-day] is nice, a clean RCE [Remote Code Execution],” said one of the sources, who is a veteran of the cybersecurity industry. “Perfect for industrial espionage.”The reference to remote code execution is particularly worrying, as this allows a hacker to run malicious code on a target's computer without authorization. A malicious actor could use that code to spy on communications, steal data, or open a backdoor for further exploitation. According to the report, hackers wanting to get the most bang for their buck would need to use the Zoom for Windows zero-day exploit in co-ordination with other exploit code to gain full access to a PC. The source claims that the exploit requires the hacker to be on a Zoom call with their intended target, which certainly makes an attack less surreptitious. The macOS zero-day exploit, meanwhile, is said to not to lead to remote code execution, making it harder for potential hackers to leverage. Nonetheless, no-one likes to hear that there are critical unpatched vulnerabilities in their software. In recent weeks, Zoom has taken impressive security-minded steps, including acknowledging the mistakes it has made in the past and explaining what it is doing going forward to improve the service's security and privacy. Half a million bucks is a not an inconsiderable amount of money, and it's unlikely to make financial sense for the typical financially-motivated cybercriminal who will realize that they may only be able to exploit the flaw on a small number of occasions before it is patched. But an attack which is orchestrated by an authoritarian government or intelligence agency may have no qualms about paying such an amount if they felt it would help them spy upon their enemies. As a result, I think those with the most to lose (such as government officials and the military) who may find themselves regularly targets of interest to state-sponsored attackers might be wise to evaluate which video conferencing platforms they feel can offer them the highest level of security. For most of the rest of us, Zoom remains a good choice if you're trying to keep in touch with colleagues and family. Just make sure to keep it updated with the latest patches, check your security settings, be wary of unsolicited email invitations to Zoom meetings, and follow guidance about how to host meetings more safely to avoid unwanted intruders.