Zoom Vulnerabilities - Update Advised

On April 2, 2020, Zoom released an update to its Windows and macOS clients to address multiple security issues. The Information Security Office recommends that you update your Zoom client as soon as possible.
Two security vulnerabilities have been revealed that may lead to exploitation, credential theft, and malware infection.

To update the Zoom application on your PC or Mac, go to the Zoom application menu (“zoom.us” on Mac) and select “Check for Updates…”. If this menu item is not available, uninstall Zoom and download the latest version from https://zoom.us/download (“Zoom Client for Meetings”).

For additional information on updating your Zoom client, see the Zoom documentation:
https://support.zoom.us/hc/en-us/articles/201362233-Where-Do-I-Download-The-Latest-Version-

This update fixes vulnerabilities within the Zoom client on both PC and Mac.

  • Within Zoom on Windows, a Universal Naming Convention (UNC) link, when clicked, may lead to an attacker decrypting the Windows password of the user that clicked the link. On Windows, UNC path links are often used to direct to local network resources, and look like \\SERVERNAME\Share\Directory\File.txt.
    • This is a good time to keep in mind a strong security practice: Do not click links before identifying that they are safe.
    • Always check links that are sent by hovering the cursor over them, and carefully reading the link address to be sure it isn’t unsafe (google.co instead of google.com, for example).
  • On Mac, a local attacker can run a modified Zoom update installer to grant escalated privileges, which allow them to run and install malware or spyware.
    • Because this attack requires an attacker to have physical access to the target computer, this is a good time to remember: Keep your computer secured, lock your screen when not in use, and do not share your password or keep it in a visible/accessible place.
    • A sticky note on or nearby the computer is a physical attacker’s best friend. If you need a safe place to securely store passwords, Case recommends using LastPass, and we offer LastPass Enterprise accounts to Case staff, faculty, and students for free.
    • Do not share your Case credentials with anyone, and do not allow family, friends, or anyone unauthorized (Case personnel or otherwise) to use your computer.

For more information, please see the following links:

 

Article written by:
Steven Hergert, Information Assurance Analyst