Comments by: Tim Mackey, Principal Security Strategist, at Synopsys Software Integrity Group
If you’ve ever wondered what happens when there is a new security vulnerability in software, we can learn a lot from the Zoom zero-day discovery at this years’ Pwn2Own hacking contest. First and foremost, hackers aren’t all criminals. Most work for cybersecurity firms and are genuinely trying to find issues in software before the criminals do. That takes considerable effort, often more than a two day event like Pwn2Own affords, so they do their homework. Part of that homework includes identifying how vulnerabilities impact systems. Contrary to what some might think, it’s usually not a single vulnerability that causes a breach, but far more likely a sequence of weaknesses that when combined pay-off for the attacker. In the case of the Zoom zero-day, three vulnerabilities needed to be chained together to convince the Zoom Chat app to run a random program like calculator.
Since the Pwn2Own participants are ethical hackers, they responsibly disclosed their attack pattern to Zoom. Zoom hasn’t yet issued a patch, but they have confirmed that the issue isn’t present in the Zoom Meetings or Zoom Webinar chat features. Such an investigation is part of the work any software team does when they receive a vulnerability disclosure. Once the Zoom team figures out how to patch the issue, they’ll issue an update which will be released to the public with a disclosure.
From a public perspective, most of what I’ve outlined is part of the internal process that occurs before the public vulnerability disclosure that we typically hear about in the media. This is called a zero-day because there is a known security vulnerability, but no patch is available. Sure, publishing this information could tip off criminals, but with the Zoom team already stating the issue is limited to the Zoom Chat app, and providing mitigation guidance saying that the attack can only come from an existing contact in the Chat app, they’re helping us in the public protect ourselves while the Zoom team works on a fix.