Zoom drops the ball again


In my opinion, privilege escalation bugs aren’t the worst class of bugs. They’re not an open front door. It’s like allowing anyone inside a bank to wander into the bank vault; instead of preventing access to anyone that isn’t authorized.

From that article:

Following responsible disclosure protocols, Wardle informed Zoom about the vulnerability in December of last year. To his frustration, he says an initial fix from Zoom contained another bug that meant the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publishing the research.

“To me that was kind of problematic because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code,” Wardle told The Verge in a call before the talk. “So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users’ computers vulnerable.”

A few weeks before the Def Con event, Wardle says Zoom issued a patch that fixed the bugs that he had initially discovered. But on closer analysis, another small error meant the bug was still exploitable.

So, a few days later, someone was able to bypass their “fix” Is anyone else seeing a pattern here? https://arstechnica.com/information-technology/2022/08/zoom-patches-critical-vulnerability-again-after-prior-fix-was-bypassed/

I think I figured out why it irritates me so much. You expect software to have bugs. Bugs and vulnerabilities in websites is kind of the norm. When a bug in software I’ve installed on my workstation or laptop makes me more vulnerable; that’s what gets to me. And when a company or organization repeatedly releases vulnerable software, it indicates that there are problems in the processes and/or InfoSec culture of that company. Yes, I will join your Zoom meeting, but no, I won’t install their software to do it.