Security Market Segment LS
Thursday, 02 April 2020 06:45

Google staffers in spat over revelation of Zoom zero-days Featured

Google staffers in spat over revelation of Zoom zero-days Image by Jose R. Cabello from Pixabay

A row has broken out between researchers from Google after ex-NSA hacker Patrick Wardle revealed the details of two zero-day vulnerabilities in the Mac version of Zoom that could be exploited to give the attacker root access. Neither vulnerability is remotely exploitable and can only be taken advantage of by a local attacker – someone who has physical access to the machine in question.

Wardle provided details to Zack Whittaker, a reporter for the publication TechCrunch. Responding to a tweet from Whittaker that promoted his article, Heather Adkins, the director of security and privacy at Google, asked whether the bugs had been "responsibly disclosed" to Zoom and whether the company had been given time to fix the vulnerabilities. 

Security researchers normally consider 90 days to be a reasonable period for fixing any bugs; Google's own Project Zero team gives companies this amount of time to fix a bug and then reveals details immediately after this deadline expires.

Zoom has been one of the few companies that has seen its share price rise sharply during the coronavirus pandemic, due to the fact that there are so many people using it to work from home after circumstances forced huge numbers to operate from their residences.

Supporting Adkins, former Facebook chief security officer Alex Stamos tweeted: "Yes. Just because they [Zoom] are in the news doesn't make dropping 0-day in TechCrunch appropriate."

But Tavis Ormandy, a well-known member of the Google Project Zero team, sharply disagreed. "Disagree, it's a problem with the installation, and installations are spiking *now*, not in six months. Now is the time to make sure people are aware of the risks, good work @patrickwardle This is what real responsible disclosure looks like," he said.

Backing Ormandy's view was Dave Aitel, like Wardle an ex-NSA man and founder of sec firm Immunity. "People think that the responsible and responsible disclosure means that you have some sort of weird responsibility to the vendor when that is in fact not the case :)," he said.

Aitel's views have not changed from those he expressed to this writer 15 years ago, during a detailed interview. Asked about responsible disclosure, his take was: "Look, these problems (vulnerabilities) have existed for years. Multiple people come up with the same discoveries all the time. I am not arrogant enough to think that when I find a serious flaw in an application that is widely used by business, only Dave Aitel can find this out.

"No, I know that dozens of blackhats would have found these same holes already. Look at any security mailing list - Full Disclosure or Bugtraq, for example. The number of people posting under anonymous names is much, much greater than the researchers who disclose their names. The security community is a year or two behind the blackhats.

"All I am doing is making my clients aware of the risk at which they are putting themselves when they use a given application. What's wrong with that?"

An individual who has the handle Bryan Riddles but did not identify his affiliations, spoke out in support of Adkins, saying: "Any company deserves to learn about security vulnerabilities directly from the researcher, not the media. If the researcher didn't first notify the impacted vendor and give them a fair amount of time to respond, that's irresponsible to the community."

But his view was contradicted by an individual who goes by the handle hotelzululima -WASH YOUR DAMN HANDS!- BOFH guild, who said: "What utter crap!!!.. They will dissemble and delay and try to shut the researcher up legally. Been seeing this same scenario for 40 years now. Hasn't ever got much different. [Of} course when your pay cheque depends on you saying the sky is green... that's what lackeys do."

Ormandy then responded with this: "Cool, and what will that response be exactly? 'If you installed anytime in the last three months, you were at risk.... our bad lol!'. People are installing it *now*, how does that help them? It doesn't. You're arguing to hide the risk to help with reputation management."

Asked for his take, former NSA hacker Jake Williams said he had no issue with Wardle exposing details of the vulnerabilities publicly before contacting Zoom.

"The vulns Wardle disclosed piggyback [and are] only possible if an attacker is already local on a machine, meaning they aren't remote code execution vulnerabilities (though there's plenty of concern there with Zoom)," he said.

Williams, who now runs his own security outfit Rendition Infosec, added: "I'd still support him if he dropped RCEs [details of flaws that are exploitable remotely] though – Zoom is being used by a LOT of people right now who don't understand the security implications of the software. His disclosure is forcing them to fix these vulnerabilities in a way that non-public disclosure likely would not.

"FWIW, [for what it's worth] I'm an advocate of full disclosure. The disclosure 'debate' is something that vendors largely engineered to save face."

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments